Method for establishing secure communication link between computers of virtual private network without user entering any cryptographic information

ABSTRACT

A technique is disclosed for establishing a secure communication link between a first computer and a second computer over a computer network. Initially, a secure communication mode of communication is enabled at a first computer without a user entering any cryptographic information for establishing the secure communication mode of communication. Then, a secure communication link is established between the first computer and a second computer over a computer network based on the enabled secure communication mode of communication. The secure communication link is a virtual private network communication link over the computer network in which one or more data values that vary according to a pseudo-random sequence are inserted into each data packet.

CROSS-REFERENCE TO RELATED APPLICATIONS

[0001] This application claims priority from and is a continuationpatent application of co-pending U.S. application Ser. No. 09/558,209,filed Apr. 26, 2000, which is a continuation-in-part patent applicationof previously-filed U.S. application Ser. No. 09/504,783, filed on Feb.15, 2000, now U.S. Pat. No. 6,502,135, issued Dec. 31, 2002, whichclaims priority from and is a continuation-in-part patent application ofpreviously-filed U.S. application Ser. No. 09/429,643, filed on Oct. 29,1999. The subject matter of U.S. application Ser. No. 09/429,643, whichis bodily incorporated herein, derives from provisional U.S. applicationnumbers 60/106,261 (filed Oct. 30, 1998) and 60/137,704 (filed Jun. 7,1999). The present application is also related to U.S. application Ser.No. 09/558,210, filed Apr. 26, 2000, and which is incorporated byreference herein.

BACKGROUND OF THE INVENTION

[0002] A tremendous variety of methods have been proposed andimplemented to provide security and anonymity for communications overthe Internet. The variety stems, in part, from the different needs ofdifferent Internet users. A basic heuristic framework to aid indiscussing these different security techniques is illustrated in FIG. 1.Two terminals, an originating terminal 100 and a destination terminal110 are in communication over the Internet. It is desired for thecommunications to be secure, that is, immune to eavesdropping. Forexample, terminal 100 may transmit secret information to terminal 110over the Internet 107. Also, it may be desired to prevent aneavesdropper from discovering that terminal 100 is in communication withterminal 110. For example, if terminal 100 is a user and terminal 110hosts a web site, terminal 100's user may not want anyone in theintervening networks to know what web sites he is “visiting.” Anonymitywould thus be an issue, for example, for companies that want to keeptheir market research interests private and thus would prefer to preventoutsiders from knowing which web-sites or other Internet resources theyare “visiting.” These two security issues may be called data securityand anonymity, respectively.

[0003] Data security is usually tackled using some form of dataencryption. An encryption key 48 is known at both the originating andterminating terminals 100 and 110. The keys may be private and public atthe originating and destination terminals 100 and 110, respectively orthey may be symmetrical keys (the same key is used by both parties toencrypt and decrypt). Many encryption methods are known and usable inthis context.

[0004] To hide traffic from a local administrator or ISP, a user canemploy a local proxy server in communicating over an encrypted channelwith an outside proxy such that the local administrator or ISP only seesthe encrypted traffic. Proxy servers prevent destination servers fromdetermining the identities of the originating clients. This systememploys an intermediate server interposed between client and destinationserver. The destination server sees only the Internet Protocol (IP)address of the proxy server and not the originating client. The targetserver only sees the address of the outside proxy. This scheme relies ona trusted outside proxy server. Also, proxy schemes are vulnerable totraffic analysis methods of determining identities of transmitters andreceivers. Another important limitation of proxy servers is that theserver knows the identities of both calling and called parties. In manyinstances, an originating terminal, such as terminal A, would prefer tokeep its identity concealed from the proxy, for example, if the proxyserver is provided by an Internet service provider (ISP).

[0005] To defeat traffic analysis, a scheme called Chaum's mixes employsa proxy server that transmits and receives fixed length messages,including dummy messages. Multiple originating terminals are connectedthrough a mix (a server) to multiple target servers. It is difficult totell which of the originating terminals are communicating to which ofthe connected target servers, and the dummy messages confuseeavesdroppers' efforts to detect communicating pairs by analyzingtraffic. A drawback is that there is a risk that the mix server could becompromised. One way to deal with this risk is to spread the trust amongmultiple mixes. If one mix is compromised, the identities of theoriginating and target terminals may remain concealed. This strategyrequires a number of alternative mixes so that the intermediate serversinterposed between the originating and target terminals are notdeterminable except by compromising more than one mix. The strategywraps the message with multiple layers of encrypted addresses. The firstmix in a sequence can decrypt only the outer layer of the message toreveal the next destination mix in sequence. The second mix can decryptthe message to reveal the next mix and so on. The target server receivesthe message and, optionally, a multi-layer encrypted payload containingreturn information to send data back in the same fashion. The only wayto defeat such a mix scheme is to collude among mixes. If the packetsare all fixed-length and intermixed with dummy packets, there is no wayto do any kind of traffic analysis.

[0006] Still another anonymity technique, called ‘crowds,’ protects theidentity of the originating terminal from the intermediate proxies byproviding that originating terminals belong to groups of proxies calledcrowds. The crowd proxies are interposed between originating and targetterminals. Each proxy through which the message is sent is randomlychosen by an upstream proxy. Each intermediate proxy can send themessage either to another randomly chosen proxy in the “crowd” or to thedestination. Thus, even crowd members cannot determine if a precedingproxy is the originator of the message or if it was simply passed fromanother proxy.

[0007] ZKS (Zero-Knowledge Systems) Anonymous IP Protocol allows usersto select up to any of five different pseudonyms, while desktop softwareencrypts outgoing traffic and wraps it in User Datagram Protocol (UDP)packets. The first server in a 2+-hop system gets the UDP packets,strips off one 1 layer of encryption to add another, then sends thetraffic to the next server, which strips off yet another layer ofencryption and adds a new one. The user is permitted to control thenumber of hops. At the final server, traffic is decrypted with anuntraceable IP address. The technique is called onion-routing. Thismethod can be defeated using traffic analysis. For a simple example,bursts of packets from a user during low-duty periods can reveal theidentities of sender and receiver.

[0008] Firewalls attempt to protect LANs from unauthorized access andhostile exploitation or damage to computers connected to the LAN.Firewalls provide a server through which all access to the LAN mustpass. Firewalls are centralized systems that require administrativeoverhead to maintain. They can be compromised by virtual-machineapplications (“applets”). They instill a false sense of security thatleads to security breaches for example by users sending sensitiveinformation to servers outside the firewall or encouraging use of modemsto sidestep the firewall security. Firewalls are not useful fordistributed systems such as business travelers, extranets, small teams,etc.

SUMMARY OF THE INVENTION

[0009] A secure mechanism for communicating over the internet, includinga protocol referred to as the Tunneled Agile Routing Protocol (TARP),uses a unique two-layer encryption format and special TARP routers. TARProuters are similar in function to regular IP routers. Each TARP routerhas one or more IP addresses and uses normal IP protocol to send IPpacket messages (“packets” or “datagrams”). The IP packets exchangedbetween TARP terminals via TARP routers are actually encrypted packetswhose true destination address is concealed except to TARP routers andservers. The normal or “clear” or “outside” IP header attached to TARPIP packets contains only the address of a next hop router or destinationserver. That is, instead of indicating a final destination in thedestination field of the IP header, the TARP packet's IP header alwayspoints to a next-hop in a series of TARP router hops, or to the finaldestination. This means there is no overt indication from an interceptedTARP packet of the true destination of the TARP packet since thedestination could always be next-hop TARP router as well as the finaldestination.

[0010] Each TARP packet's true destination is concealed behind a layerof encryption generated using a link key. The link key is the encryptionkey used for encrypted communication between the hops interveningbetween an originating TARP terminal and a destination TARP terminal.Each TARP router can remove the outer layer of encryption to reveal thedestination router for each TARP packet. To identify the link key neededto decrypt the outer layer of encryption of a TARP packet, a receivingTARP or routing terminal may identify the transmitting terminal by thesender/receiver IP numbers in the cleartext IP header.

[0011] Once the outer layer of encryption is removed, the TARP routerdetermines the final destination. Each TARP packet 140 undergoes aminimum number of hops to help foil traffic analysis. The hops may bechosen at random or by a fixed value. As a result, each TARP packet maymake random trips among a number of geographically disparate routersbefore reaching its destination. Each trip is highly likely to bedifferent for each packet composing a given message because each trip isindependently randomly determined. This feature is called agile routing.The fact that different packets take different routes provides distinctadvantages by making it difficult for an interloper to obtain all thepackets forming an entire multi-packet message. The associatedadvantages have to do with the inner layer of encryption discussedbelow. Agile routing is combined with another feature that furthers thispurpose; a feature that ensures that any message is broken into multiplepackets.

[0012] The IP address of a TARP router can be changed, a feature calledIP agility. Each TARP router, independently or under direction fromanother TARP terminal or router, can change its IP address. A separate,unchangeable identifier or address is also defined. This address, calledthe TARP address, is known only to TARP routers and terminals and may becorrelated at any time by a TARP router or a TARP terminal using aLookup Table (LUT). When a TARP router or terminal changes its IPaddress, it updates the other TARP routers and terminals which in turnupdate their respective LUTs.

[0013] The message payload is hidden behind an inner layer of encryptionin the TARP packet that can only be unlocked using a session key. Thesession key is not available to any of the intervening TARP routers. Thesession key is used to decrypt the payloads of the TARP packetspermitting the data stream to be reconstructed.

[0014] Communication may be made private using link and session keys,which in turn may be shared and used according to any desired method.For example, public/private keys or symmetric keys may be used.

[0015] To transmit a data stream, a TARP originating terminal constructsa series of TARP packets from a series of IP packets generated by anetwork (IP) layer process. (Note that the terms “network layer,” “datalink layer,” “application layer,” etc. used in this specificationcorrespond to the Open Systems Interconnection (OSI) networkterminology.) The payloads of these packets are assembled into a blockand chain-block encrypted using the session key. This assumes, ofcourse, that all the IP packets are destined for the same TARP terminal.The block is then interleaved and the interleaved encrypted block isbroken into a series of payloads, one for each TARP packet to begenerated. Special TARP headers IPT are then added to each payload usingthe IP headers from the data stream packets. The TARP headers can beidentical to normal IP headers or customized in some way. They shouldcontain a formula or data for deinterleaving the data at the destinationTARP terminal, a time-to-live (TTL) parameter to indicate the number ofhops still to be executed, a data type identifier which indicateswhether the payload contains, for example, TCP or UDP data, the sender'sTARP address, the destination TARP address, and an indicator as towhether the packet contains real or decoy data or a formula forfiltering out decoy data if decoy data is spread in some way through theTARP payload data.

[0016] Note that although chain-block encryption is discussed here withreference to the session key, any encryption method may be used.Preferably, as in chain block encryption, a method should be used thatmakes unauthorized decryption difficult without an entire result of theencryption process. Thus, by separating the encrypted block amongmultiple packets and making it difficult for an interloper to obtainaccess to all of such packets, the contents of the communications areprovided an extra layer of security.

[0017] Decoy or dummy data can be added to a stream to help foil trafficanalysis by reducing the peak-to-average network load. It may bedesirable to provide the TARP process with an ability to respond to thetime of day or other criteria to generate more decoy data during lowtraffic periods so that communication bursts at one point in theInternet cannot be tied to communication bursts at another point toreveal the communicating endpoints.

[0018] Dummy data also helps to break the data into a larger number ofinconspicuously-sized packets permitting the interleave window size tobe increased while maintaining a reasonable size for each packet. (Thepacket size can be a single standard size or selected from a fixed rangeof sizes.) One primary reason for desiring for each message to be brokeninto multiple packets is apparent if a chain block encryption scheme isused to form the first encryption layer prior to interleaving. A singleblock encryption may be applied to portion, or entirety, of a message,and that portion or entirety then interleaved into a number of separatepackets. Considering the agile IP routing of the packets, and theattendant difficulty of reconstructing an entire sequence of packets toform a single block-encrypted message element, decoy packets cansignificantly increase the difficulty of reconstructing an entire datastream.

[0019] The above scheme may be implemented entirely by processesoperating between the data link layer and the network layer of eachserver or terminal participating in the TARP system. Because theencryption system described above is insertable between the data linkand network layers, the processes involved in supporting the encryptedcommunication may be completely transparent to processes at the IP(network) layer and above. The TARP processes may also be completelytransparent to the data link layer processes as well. Thus, nooperations at or above the Network layer, or at or below the data linklayer, are affected by the insertion of the TARP stack. This providesadditional security to all processes at or above the network layer,since the difficulty of unauthorized penetration of the network layer(by, for example, a hacker) is increased substantially. Even newlydeveloped servers running at the session layer leave all processes belowthe session layer vulnerable to attack. Note that in this architecture,security is distributed. That is, notebook computers used by executiveson the road, for example, can communicate over the Internet without anycompromise in security.

[0020] IP address changes made by TARP terminals and routers can be doneat regular intervals, at random intervals, or upon detection of“attacks.” The variation of IP addresses hinders traffic analysis thatmight reveal which computers are communicating, and also provides adegree of immunity from attack. The level of immunity from attack isroughly proportional to the rate at which the IP address of the host ischanging.

[0021] As mentioned, IP addresses may be changed in response to attacks.An attack may be revealed, for example, by a regular series of messagesindicating that a router is being probed in some way. Upon detection ofan attack, the TARP layer process may respond to this event by changingits IP address. In addition, it may create a subprocess that maintainsthe original IP address and continues interacting with the attacker insome manner.

[0022] Decoy packets may be generated by each TARP terminal on somebasis determined by an algorithm. For example, the algorithm may be arandom one which calls for the generation of a packet on a random basiswhen the terminal is idle. Alternatively, the algorithm may beresponsive to time of day or detection of low traffic to generate moredecoy packets during low traffic times. Note that packets are preferablygenerated in groups, rather than one by one, the groups being sized tosimulate real messages. In addition, so that decoy packets may beinserted in normal TARP message streams, the background loop may have alatch that makes it more likely to insert decoy packets when a messagestream is being received. Alternatively, if a large number of decoypackets is received along with regular TARP packets, the algorithm mayincrease the rate of dropping of decoy packets rather than forwardingthem. The result of dropping and generating decoy packets in this way isto make the apparent incoming message size different from the apparentoutgoing message size to help foil traffic analysis.

[0023] In various other embodiments of the invention, a scalable versionof the system may be constructed in which a plurality of IP addressesare preassigned to each pair of communicating nodes in the network. Eachpair of nodes agrees upon an algorithm for “hopping” between IPaddresses (both sending and receiving), such that an eavesdropper seesapparently continuously random IP address pairs (source and destination)for packets transmitted between the pair. Overlapping or “reusable” IPaddresses may be allocated to different users on the same subnet, sinceeach node merely verifies that a particular packet includes a validsource/destination pair from the agreed-upon algorithm.Source/destination pairs are preferably not reused between any two nodesduring any given end-to-end session, though limited IP block sizes orlengthy sessions might require it.

[0024] Further improvements described in this continuation-in-partapplication include: (1) a load balancer that distributes packets acrossdifferent transmission paths according to transmission path quality; (2)a DNS proxy server that transparently creates a virtual private networkin response to a domain name inquiry; (3) a large-to-small linkbandwidth management feature that prevents denial-of-service attacks atsystem chokepoints; (4) a traffic limiter that regulates incomingpackets by limiting the rate at which a transmitter can be synchronizedwith a receiver; and (5) a signaling synchronizer that allows a largenumber of nodes to communicate with a central node by partitioning thecommunication function between two separate entities The presentinvention provides key technologies for implementing a secure virtualInternet by using a new agile network protocol that is built on top ofthe existing Internet protocol (IP). The secure virtual Internet worksover the existing Internet infrastructure, and interfaces with clientapplications the same way as the existing Internet. The key technologiesprovided by the present invention that support the secure virtualInternet include a “one-click” and “no-click” technique to become partof the secure virtual Internet, a secure domain name service (SDNS) forthe secure virtual Internet, and a new approach for interfacing specificclient applications onto the secure virtual Internet. According to theinvention, the secure domain name service interfaces with existingapplications, in addition to providing a way to register and servedomain names and addresses.

[0025] According to one aspect of the present invention, a user canconveniently establish a VPN using a “one-click” or a “no-click”technique without being required to enter user identificationinformation, a password and/or an encryption key for establishing a VPN.The advantages of the present invention are provided by a method forestablishing a secure communication link between a first computer and asecond computer over a computer network, such as the Internet. In oneembodiment, a secure communication mode is enabled at a first computerwithout a user entering any cryptographic information for establishingthe secure communication mode of communication, preferably by merelyselecting an icon displayed on the first computer. Alternatively, thesecure communication mode of communication can be enabled by entering acommand into the first computer. Then, a secure communication link isestablished between the first computer and a second computer over acomputer network based on the enabled secure communication mode ofcommunication. According to the invention, it is determined whether asecure communication software module is stored on the first computer inresponse to the step of enabling the secure communication mode ofcommunication. A predetermined computer network address is then accessedfor loading the secure communication software module when the softwaremodule is not stored on the first computer. Subsequently, the proxysoftware module is stored in the first computer. The securecommunication link is a virtual private network communication link overthe computer network. Preferably, the virtual private network can bebased on inserting into each data packet one or more data values thatvary according to a pseudo-random sequence. Alternatively, the virtualprivate network can be based on a computer network address hoppingregime that is used to pseudorandomly change computer network addressesor other data values in packets transmitted between the first computerand the second computer, such that the second computer compares the datavalues in each data packet transmitted between the first computer andthe second computer to a moving window of valid values. Yet anotheralternative provides that the virtual private network can be based on acomparison between a discriminator field in each data packet to a tableof valid discriminator fields maintained for the first computer.

[0026] According to another aspect of the invention, a command isentered to define a setup parameter associated with the securecommunication link mode of communication. Consequently, the securecommunication mode is automatically established when a communicationlink is established over the computer network.

[0027] The present invention also provides a computer system having acommunication link to a computer network, and a display showing ahyperlink for establishing a virtual private network through thecomputer network. When the hyperlink for establishing the virtualprivate network is selected, a virtual private network is establishedover the computer network. A non-standard top-level domain name is thensent over the virtual private network communication to a predeterminedcomputer network address, such as a computer network address for asecure domain name service (SDNS).

[0028] The present invention provides a domain name service thatprovides secure computer network addresses for secure, non-standardtop-level domain names. The advantages of the present invention areprovided by a secure domain name service for a computer network thatincludes a portal connected to a computer network, such as the Internet,and a domain name database connected to the computer network through theportal. According to the invention, the portal authenticates a query fora secure computer network address, and the domain name database storessecure computer network addresses for the computer network. Each securecomputer network address is based on a non-standard top-level domainname, such as .scom, .sorg, .snet, .snet, .sedu, smil and .sint.

[0029] The present invention provides a way to encapsulate existingapplication network traffic at the application layer of a clientcomputer so that the client application can securely communicate with aserver protected by an agile network protocol. The advantages of thepresent invention are provided by a method for communicating using aprivate communication link between a client computer and a servercomputer over a computer network, such as the Internet. According to theinvention, an information packet is sent from the client computer to theserver computer over the computer network. The information packetcontains data that is inserted into the payload portion of the packet atthe application layer of the client computer and is used for forming avirtual private connection between the client computer and the servercomputer. The modified information packet can be sent through a firewallbefore being sent over the computer network to the server computer andby working on top of existing protocols (i.e., UDP, ICMP and TCP), thepresent invention more easily penetrates the firewall. The informationpacket is received at a kernel layer of an operating system on theserver side. It is then determined at the kernel layer of the operatingsystem on the host computer whether the information packet contains thedata that is used for forming the virtual private connection. The serverside replies by sending an information packet to the client computerthat has been modified at the kernel layer to containing virtual privateconnection information in the payload portion of the reply informationpacket. Preferably, the information packet from the client computer andthe reply information packet from the server side are each a UDPprotocol information packet. Alternative, both information packets couldbe a TCP/IP protocol information packet, or an ICMP protocol informationpacket.

BRIEF DESCRIPTION OF THE DRAWINGS

[0030]FIG. 1 is an illustration of secure communications over theInternet according to a prior art embodiment.

[0031]FIG. 2 is an illustration of secure communications over theInternet according to a an embodiment of the invention.

[0032]FIG. 3a is an illustration of a process of forming a tunneled IPpacket according to an embodiment of the invention.

[0033]FIG. 3b is an illustration of a process of forming a tunneled IPpacket according to another embodiment of the invention.

[0034]FIG. 4 is an illustration of an OSI layer location of processesthat may be used to implement the invention.

[0035]FIG. 5 is a flow chart illustrating a process for routing atunneled packet according to an embodiment of the invention.

[0036]FIG. 6 is a flow chart illustrating a process for forming atunneled packet according to an embodiment of the invention.

[0037]FIG. 7 is a flow chart illustrating a process for receiving atunneled packet according to an embodiment of the invention.

[0038]FIG. 8 shows how a secure session is established and synchronizedbetween a client and a TARP router.

[0039]FIG. 9 shows an IP address hopping scheme between a clientcomputer and TARP router using transmit and receive tables in eachcomputer.

[0040]FIG. 10 shows physical link redundancy among three InternetService Providers (ISPs) and a client computer.

[0041]FIG. 11 shows how multiple IP packets can be embedded into asingle “frame” such as an Ethernet frame, and further shows the use of adiscriminator field to camouflage true packet recipients.

[0042]FIG. 12A shows a system that employs hopped hardware addresses,hopped IP addresses, and hopped discriminator fields.

[0043]FIG. 12B shows several different approaches for hopping hardwareaddresses, IP addresses, and discriminator fields in combination.

[0044]FIG. 13 shows a technique for automatically re-establishingsynchronization between sender and receiver through the use of apartially public sync value.

[0045]FIG. 14 shows a “checkpoint” scheme for regaining synchronizationbetween a sender and recipient.

[0046]FIG. 15 shows further details of the checkpoint scheme of FIG. 14.

[0047]FIG. 16 shows how two addresses can be decomposed into a pluralityof segments for comparison with presence vectors.

[0048]FIG. 17 shows a storage array for a receiver's active addresses.

[0049]FIG. 18 shows the receiver's storage array after receiving a syncrequest.

[0050]FIG. 19 shows the receiver's storage array after new addresseshave been generated.

[0051]FIG. 20 shows a system employing distributed transmission paths.

[0052]FIG. 21 shows a plurality of link transmission tables that can beused to route packets in the system of FIG. 20.

[0053]FIG. 22A shows a flowchart for adjusting weight valuedistributions associated with a plurality of transmission links.

[0054]FIG. 22B shows a flowchart for setting a weight value to zero if atransmitter turns off.

[0055]FIG. 23 shows a system employing distributed transmission pathswith adjusted weight value distributions for each path.

[0056]FIG. 24 shows an example using the system of FIG. 23.

[0057]FIG. 25 shows a conventional domain-name look-up service.

[0058]FIG. 26 shows a system employing a DNS proxy server withtransparent VPN creation.

[0059]FIG. 27 shows steps that can be carried out to implementtransparent VPN creation based on a DNS look-up function.

[0060]FIG. 28 shows a system including a link guard function thatprevents packet overloading on a low-bandwidth link LOW BW.

[0061]FIG. 29 shows one embodiment of a system employing the principlesof FIG. 28.

[0062]FIG. 30 shows a system that regulates packet transmission rates bythrottling the rate at which synchronizations are performed.

[0063]FIG. 31 shows a signaling server 3101 and a transport server 3102used to establish a VPN with a client computer.

[0064]FIG. 32 shows message flows relating to synchronization protocolsof FIG. 31.

[0065]FIG. 33 shows a system block diagram of a computer network inwhich the “one-click” secure communication link of the present inventionis suitable for use.

[0066]FIG. 34 shows a flow diagram for installing and establishing a“one-click” secure communication link over a computer network accordingto the present invention.

[0067]FIG. 35 shows a flow diagram for registering a secure domain nameaccording to the present invention.

[0068]FIG. 36 shows a system block diagram of a computer network inwhich a private connection according to the present invention can beconfigured to more easily traverse a firewall between two computernetworks.

[0069]FIG. 37 shows a flow diagram for establishing a virtual privateconnection that is encapsulated using an existing network protocol.

DETAILED DESCRIPTION OF THE INVENTION

[0070] Referring to FIG. 2, a secure mechanism for communicating overthe internet employs a number of special routers or servers, called TARProuters 122-127 that are similar to regular IP routers 128-132 in thateach has one or more IP addresses and uses normal IP protocol to sendnormal-looking IP packet messages, called TARP packets 140. TARP packets140 are identical to normal IP packet messages that are routed byregular IP routers 128-132 because each TARP packet 140 contains adestination address as in a normal IP packet. However, instead ofindicating a final destination in the destination field of the IPheader, the TARP packet's 140 IP header always points to a next-hop in aseries of TARP router hops, or the final destination, TARP terminal 110.Because the header of the TARP packet contains only the next-hopdestination, there is no overt indication from an intercepted TARPpacket of the true destination of the TARP packet 140 since thedestination could always be the next-hop TARP router as well as thefinal destination, TARP terminal 110.

[0071] Each TARP packet's true destination is concealed behind an outerlayer of encryption generated using a link key 146. The link key 146 isthe encryption key used for encrypted communication between the endpoints (TARP terminals or TARP routers) of a single link in the chain ofhops connecting the originating TARP terminal 100 and the destinationTARP terminal 110. Each TARP router 122-127, using the link key 146 ituses to communicate with the previous hop in a chain, can use the linkkey to reveal the true destination of a TARP packet. To identify thelink key needed to decrypt the outer layer of encryption of a TARPpacket, a receiving TARP or routing terminal may identify thetransmitting terminal (which may indicate the link key used) by thesender field of the clear IP header. Alternatively, this identity may behidden behind another layer of encryption in available bits in the clearIP header. Each TARP router, upon receiving a TARP message, determinesif the message is a TARP message by using authentication data in theTARP packet. This could be recorded in available bytes in the TARPpacket's IP header. Alternatively, TARP packets could be authenticatedby attempting to decrypt using the link key 146 and determining if theresults are as expected. The former may have computational advantagesbecause it does not involve a decryption process.

[0072] Once the outer layer of decryption is completed by a TARP router122-127, the TARP router determines the final destination. The system ispreferably designed to cause each TARP packet 140 to undergo a minimumnumber of hops to help foil traffic analysis. The time to live counterin the IP header of the TARP message may be used to indicate a number ofTARP router hops yet to be completed. Each TARP router then woulddecrement the counter and determine from that whether it should forwardthe TARP packet 140 to another TARP router 122-127 or to the destinationTARP terminal 110. If the time to live counter is zero or below zeroafter decrementing, for an example of usage, the TARP router receivingthe TARP packet 140 may forward the TARP packet 140 to the destinationTARP terminal 110. If the time to live counter is above zero afterdecrementing, for an example of usage, the TARP router receiving theTARP packet 140 may forward the TARP packet 140 to a TARP router 122-127that the current TARP terminal chooses at random. As a result, each TARPpacket 140 is routed through some minimum number of hops of TARP routers122-127 which are chosen at random.

[0073] Thus, each TARP packet, irrespective of the traditional factorsdetermining traffic in the Internet, makes random trips among a numberof geographically disparate routers before reaching its destination andeach trip is highly likely to be different for each packet composing agiven message because each trip is independently randomly determined asdescribed above. This feature is called agile routing. For reasons thatwill become clear shortly, the fact that different packets takedifferent routes provides distinct advantages by making it difficult foran interloper to obtain all the packets forming an entire multi-packetmessage. Agile routing is combined with another feature that furthersthis purpose, a feature that ensures that any message is broken intomultiple packets.

[0074] A TARP router receives a TARP packet when an IP address used bythe TARP router coincides with the IP address in the TARP packet's IPheader IP_(C). The IP address of a TARP router, however, may not remainconstant. To avoid and manage attacks, each TARP router, independentlyor under direction from another TARP terminal or router, may change itsIP address. A separate, unchangeable identifier or address is alsodefined. This address, called the TARP address, is known only to TARProuters and terminals and may be correlated at any time by a TARP routeror a TARP terminal using a Lookup Table (LUT). When a TARP router orterminal changes its IP address, it updates the other TARP routers andterminals which in turn update their respective LUTs. In reality,whenever a TARP router looks up the address of a destination in theencrypted header, it must convert a TARP address to a real IP addressusing its LUT.

[0075] While every TARP router receiving a TARP packet has the abilityto determine the packet's final destination, the message payload isembedded behind an inner layer of encryption in the TARP packet that canonly be unlocked using a session key. The session key is not availableto any of the TARP routers 122-127 intervening between the originating100 and destination 110 TARP terminals. The session key is used todecrypt the payloads of the TARP packets 140 permitting an entiremessage to be reconstructed.

[0076] In one embodiment, communication may be made private using linkand session keys, which in turn may be shared and used according anydesired method. For example, a public key or symmetric keys may becommunicated between link or session endpoints using a public keymethod. Any of a variety of other mechanisms for securing data to ensurethat only authorized computers can have access to the privateinformation in the TARP packets 140 may be used as desired.

[0077] Referring to FIG. 3a, to construct a series of TARP packets, adata stream 300 of IP packets 207 a, 207 b, 207 c, etc., such series ofpackets being formed by a network (IP) layer process, is broken into aseries of small sized segments. In the present example, equal-sizedsegments 1-9 are defined and used to construct a set of interleaved datapackets A, B, and C. Here it is assumed that the number of interleavedpackets A, B, and C formed is three and that the number of IP packets207 a-207 c used to form the three interleaved packets A, B, and C isexactly three. Of course, the number of IP packets spread over a groupof interleaved packets may be any convenient number as may be the numberof interleaved packets over which the incoming data stream is spread.The latter, the number of interleaved packets over which the data streamis spread, is called the interleave window.

[0078] To create a packet, the transmitting software interleaves thenormal IP packets 207 a et. seq. to form a new set of interleavedpayload data 320. This payload data 320 is then encrypted using asession key to form a set of session-key-encrypted payload data 330,each of which, A, B, and C, will form the payload of a TARP packet.Using the IP header data, from the original packets 207 a-207 c, newTARP headers IP_(T) are formed. The TARP headers IP_(T) can be identicalto normal IP headers or customized in some way. In a preferredembodiment, the TARP headers IPT are IP headers with added dataproviding the following information required for routing andreconstruction of messages, some of which data is ordinarily, or capableof being, contained in normal IP headers:

[0079] 1. A window sequence number—an identifier that indicates wherethe packet belongs in the original message sequence.

[0080] 2. An interleave sequence number—an identifier that indicates theinterleaving sequence used to form the packet so that the packet can bedeinterleaved along with other packets in the interleave window.

[0081] 3. A time-to-live (TTL) datum—indicates the number ofTARP-router-hops to be executed before the packet reaches itsdestination. Note that the TTL parameter may provide a datum to be usedin a probabilistic formula for determining whether to route the packetto the destination or to another hop.

[0082] 4. Data type identifier—indicates whether the payload contains,for example, TCP or UDP data.

[0083] 5. Sender's address—indicates the sender's address in the TARPnetwork.

[0084] 6. Destination address—indicates the destination terminal'saddress in the TARP network.

[0085] 7. Decoy/Real—an indicator of whether the packet contains realmessage data or dummy decoy data or a combination.

[0086] Obviously, the packets going into a single interleave window mustinclude only packets with a common destination. Thus, it is assumed inthe depicted example that the IP headers of IP packets 207 a-207 c allcontain the same destination address or at least will be received by thesame terminal so that they can be deinterleaved. Note that dummy ordecoy data or packets can be added to form a larger interleave windowthan would otherwise be required by the size of a given message. Decoyor dummy data can be added to a stream to help foil traffic analysis byleveling the load on the network. Thus, it may be desirable to providethe TARP process with an ability to respond to the time of day or othercriteria to generate more decoy data during low traffic periods so thatcommunication bursts at one point in the Internet cannot be tied tocommunication bursts at another point to reveal the communicatingendpoints.

[0087] Dummy data also helps to break the data into a larger number ofinconspicuously-sized packets permitting the interleave window size tobe increased while maintaining a reasonable size for each packet. (Thepacket size can be a single standard size or selected from a fixed rangeof sizes.) One primary reason for desiring for each message to be brokeninto multiple packets is apparent if a chain block encryption scheme isused to form the first encryption layer prior to interleaving. A singleblock encryption may be applied to a portion, or the entirety, of amessage, and that portion or entirety then interleaved into a number ofseparate packets.

[0088] Referring to FIG. 3b, in an alternative mode of TARP packetconstruction, a series of IP packets are accumulated to make up apredefined interleave window. The payloads of the packets are used toconstruct a single block 520 for chain block encryption using thesession key. The payloads used to form the block are presumed to bedestined for the same terminal. The block size may coincide with theinterleave window as depicted in the example embodiment of FIG. 3b.After encryption, the encrypted block is broken into separate payloadsand segments which are interleaved as in the embodiment of FIG. 3a. Theresulting interleaved packets A, B, and C, are then packaged as TARPpackets with TARP headers as in the Example of FIG. 3a. The remainingprocess is as shown in, and discussed with reference to, FIG. 3a.

[0089] Once the TARP packets 340 are formed, each entire TARP packet340, including the TARP header IP_(T), is encrypted using the link keyfor communication with the first-hop-TARP router. The first hop TARProuter is randomly chosen. A final unencrypted IP header IP_(C) is addedto each encrypted TARP packet 340 to form a normal IP packet 360 thatcan be transmitted to a TARP router. Note that the process ofconstructing the TARP packet 360 does not have to be done in stages asdescribed. The above description is just a useful heuristic fordescribing the final product, namely, the TARP packet.

[0090] Note that, TARP header IP_(T) could be a completely custom headerconfiguration with no similarity to a normal IP header except that itcontain the information identified above. This is so since this headeris interpreted by only TARP routers.

[0091] The above scheme may be implemented entirely by processesoperating between the data link layer and the network layer of eachserver or terminal participating in the TARP system. Referring to FIG.4, a TARP transceiver 405 can be an originating terminal 100, adestination terminal 110, or a TARP router 122-127. In each TARPTransceiver 405, a transmitting process is generated to receive normalpackets from the Network (IP) layer and generate TARP packets forcommunication over the network. A receiving process is generated toreceive normal IP packets containing TARP packets and generate fromthese normal IP packets which are “passed up” to the Network (IP) layer.Note that where the TARP Transceiver 405 is a router, the received TARPpackets 140 are not processed into a stream of IP packets 415 becausethey need only be authenticated as proper TARP packets and then passedto another TARP router or a TARP destination terminal 110. Theintervening process, a “TARP Layer” 420, could be combined with eitherthe data link layer 430 or the Network layer 410. In either case, itwould intervene between the data link layer 430 so that the processwould receive regular IP packets containing embedded TARP packets and“hand up” a series of reassembled IP packets to the Network layer 410.As an example of combining the TARP layer 420 with the data link layer430, a program may augment the normal processes running a communicationscard, for example, an Ethernet card. Alternatively, the TARP layerprocesses may form part of a dynamically loadable module that is loadedand executed to support communications between the network and data linklayers.

[0092] Because the encryption system described above can be insertedbetween the data link and network layers, the processes involved insupporting the encrypted communication may be completely transparent toprocesses at the IP (network) layer and above. The TARP processes mayalso be completely transparent to the data link layer processes as well.Thus, no operations at or above the network layer, or at or below thedata link layer, are affected by the insertion of the TARP stack. Thisprovides additional security to all processes at or above the networklayer, since the difficulty of unauthorized penetration of the networklayer (by, for example, a hacker) is increased substantially. Even newlydeveloped servers running at the session layer leave all processes belowthe session layer vulnerable to attack. Note that in this architecture,security is distributed. That is, notebook computers used by executiveson the road, for example, can communicate over the Internet without anycompromise in security.

[0093] Note that IP address changes made by TARP terminals and routerscan be done at regular intervals, at random intervals, or upon detectionof “attacks.” The variation of IP addresses hinders traffic analysisthat might reveal which computers are communicating, and also provides adegree of immunity from attack. The level of immunity from attack isroughly proportional to the rate at which the IP address of the host ischanging.

[0094] As mentioned, IP addresses may be changed in response to attacks.An attack may be revealed, for example, by a regular series of messagesindicates that a router is being probed in some way. Upon detection ofan attack, the TARP layer process may respond to this event by changingits IP address. To accomplish this, the TARP process will construct aTARP-formatted message, in the style of Internet Control MessageProtocol (ICMP) datagrams as an example; this message will contain themachine's TARP address, its previous IP address, and its new IP address.The TARP layer will transmit this packet to at least one known TARProuter; then upon receipt and validation of the message, the TARP routerwill update its LUT with the new IP address for the stated TARP address.The TARP router will then format a similar message, and broadcast it tothe other TARP routers so that they may update their LUTs. Since thetotal number of TARP routers on any given subnet is expected to berelatively small, this process of updating the LUTs should be relativelyfast. It may not, however, work as well when there is a relatively largenumber of TARP routers and/or a relatively large number of clients; thishas motivated a refinement of this architecture to provide scalability;this refinement has led to a second embodiment, which is discussedbelow.

[0095] Upon detection of an attack, the TARP process may also create asubprocess that maintains the original IP address and continuesinteracting with the attacker. The latter may provide an opportunity totrace the attacker or study the attacker's methods (called “fishbowling”drawing upon the analogy of a small fish in a fish bowl that “thinks” itis in the ocean but is actually under captive observation). A history ofthe communication between the attacker and the abandoned (fishbowled) IPaddress can be recorded or transmitted for human analysis or furthersynthesized for purposes of responding in some way.

[0096] As mentioned above, decoy or dummy data or packets can be addedto outgoing data streams by TARP terminals or routers. In addition tomaking it convenient to spread data over a larger number of separatepackets, such decoy packets can also help to level the load on inactiveportions of the Internet to help foil traffic analysis efforts.

[0097] Decoy packets may be generated by each TARP terminal 100, 110 oreach router 122-127 on some basis determined by an algorithm. Forexample, the algorithm may be a random one which calls for thegeneration of a packet on a random basis when the terminal is idle.Alternatively, the algorithm may be responsive to time of day ordetection of low traffic to generate more decoy packets during lowtraffic times. Note that packets are preferably generated in groups,rather than one by one, the groups being sized to simulate realmessages. In addition, so that decoy packets may be inserted in normalTARP message streams, the background loop may have a latch that makes itmore likely to insert decoy packets when a message stream is beingreceived. That is, when a series of messages are received, the decoypacket generation rate may be increased. Alternatively, if a largenumber of decoy packets is received along with regular TARP packets, thealgorithm may increase the rate of dropping of decoy packets rather thanforwarding them. The result of dropping and generating decoy packets inthis way is to make the apparent incoming message size different fromthe apparent outgoing message size to help foil traffic analysis. Therate of reception of packets, decoy or otherwise, may be indicated tothe decoy packet dropping and generating processes through perishabledecoy and regular packet counters. (A perishable counter is one thatresets or decrements its value in response to time so that it contains ahigh value when it is incremented in rapid succession and a small valuewhen incremented either slowly or a small number of times in rapidsuccession.) Note that destination TARP terminal 110 may generate decoypackets equal in number and size to those TARP packets received to makeit appear it is merely routing packets and is therefore not thedestination terminal.

[0098] Referring to FIG. 5, the following particular steps may beemployed in the above-described method for routing TARP packets.

[0099] S0. A background loop operation is performed which applies analgorithm which determines the generation of decoy IP packets. The loopis interrupted when an encrypted TARP packet is received.

[0100] S2. The TARP packet may be probed in some way to authenticate thepacket before attempting to decrypt it using the link key. That is, therouter may determine that the packet is an authentic TARP packet byperforming a selected operation on some data included with the clear IPheader attached to the encrypted TARP packet contained in the payload.This makes it possible to avoid performing decryption on packets thatare not authentic TARP packets.

[0101] S3. The TARP packet is decrypted to expose the destination TARPaddress and an indication of whether the packet is a decoy packet orpart of a real message.

[0102] S4. If the packet is a decoy packet, the perishable decoy counteris incremented.

[0103] S5. Based on the decoy generation/dropping algorithm and theperishable decoy counter value, if the packet is a decoy packet, therouter may choose to throw it away. If the received packet is a decoypacket and it is determined that it should be thrown away (S6), controlreturns to step S0.

[0104] S7. The TTL parameter of the TARP header is decremented and it isdetermined if the TTL parameter is greater than zero.

[0105] S8. If the TTL parameter is greater than zero, a TARP address israndomly chosen from a list of TARP addresses maintained by the routerand the link key and IP address corresponding to that TARP addressmemorized for use in creating a new IP packet containing the TARPpacket.

[0106] S9. If the TTL parameter is zero or less, the link key and IPaddress corresponding to the TARP address of the destination arememorized for use in creating the new IP packet containing the TARPpacket.

[0107] S10. The TARP packet is encrypted using the memorized link key.

[0108] S11. An IP header is added to the packet that contains the storedIP address, the encrypted TARP packet wrapped with an IP header, and thecompleted packet transmitted to the next hop or destination.

[0109] Referring to FIG. 6, the following particular steps may beemployed in the above-described method for generating TARP packets.

[0110] S20. A background loop operation applies an algorithm thatdetermines the generation of decoy IP packets. The loop is interruptedwhen a data stream containing IP packets is received for transmission.

[0111] S21. The received IP packets are grouped into a set consisting ofmessages with a constant IP destination address. The set is furtherbroken down to coincide with a maximum size of an interleave window Theset is encrypted, and interleaved into a set of payloads destined tobecome TARP packets.

[0112] S22. The TARP address corresponding to the IP address isdetermined from a lookup table and stored to generate the TARP header.An initial TTL count is generated and stored in the header. The TTLcount may be random with minimum and maximum values or it may be fixedor determined by some other parameter.

[0113] S23. The window sequence numbers and interleave sequence numbersare recorded in the TARP headers of each packet.

[0114] S24. One TARP router address is randomly chosen for each TARPpacket and the IP address corresponding to it stored for use in theclear IP header. The link key corresponding to this router is identifiedand used to encrypt TARP packets containing interleaved and encrypteddata and TARP headers.

[0115] S25. A clear IP header with the first hop router's real IPaddress is generated and added to each of the encrypted TARP packets andthe resulting packets.

[0116] Referring to FIG. 7, the following particular steps may beemployed in the above-described method for receiving TARP packets.

[0117] S40. A background loop operation is performed which applies analgorithm which determines the generation of decoy IP packets. The loopis interrupted when an encrypted TARP packet is received.

[0118] S42. The TARP packet may be probed to authenticate the packetbefore attempting to decrypt it using the link key.

[0119] S43. The TARP packet is decrypted with the appropriate link keyto expose the destination TARP address and an indication of whether thepacket is a decoy packet or part of a real message.

[0120] S44. If the packet is a decoy packet, the perishable decoycounter is incremented.

[0121] S45. Based on the decoy generation/dropping algorithm and theperishable decoy counter value, if the packet is a decoy packet, thereceiver may choose to throw it away.

[0122] S46. The TARP packets are cached until all packets forming aninterleave window are received.

[0123] S47. Once all packets of an interleave window are received, thepackets are deinterleaved.

[0124] S48. The packets block of combined packets defining theinterleave window is then decrypted using the session key.

[0125] S49. The decrypted block is then divided using the windowsequence data and the IP_(T) headers are converted into normal IPCheaders. The window sequence numbers are integrated in the IPC headers.

[0126] S50. The packets are then handed up to the IP layer processes.

1. Scalability Enhancements

[0127] The IP agility feature described above relies on the ability totransmit IP address changes to all TARP routers. The embodimentsincluding this feature will be referred to as “boutique” embodiments dueto potential limitations in scaling these features up for a largenetwork, such as the Internet. (The “boutique” embodiments would,however, be robust for use in smaller networks, such as small virtualprivate networks, for example). One problem with the boutiqueembodiments is that if IP address changes are to occur frequently, themessage traffic required to update all routers sufficiently quicklycreates a serious burden on the Internet when the TARP router and/orclient population gets large. The bandwidth burden added to thenetworks, for example in ICMP packets, that would be used to update allthe TARP routers could overwhelm the Internet for a large scaleimplementation that approached the scale of the Internet. In otherwords, the boutique system's scalability is limited.

[0128] A system can be constructed which trades some of the features ofthe above embodiments to provide the benefits of IP agility without theadditional messaging burden. This is accomplished by IP address-hoppingaccording to shared algorithms that govern IP addresses used betweenlinks participating in communications sessions between nodes such asTARP nodes. (Note that the IP hopping technique is also applicable tothe boutique embodiment.) The IP agility feature discussed with respectto the boutique system can be modified so that it becomes decentralizedunder this scalable regime and governed by the above-described sharedalgorithm. Other features of the boutique system may be combined withthis new type of IP-agility.

[0129] The new embodiment has the advantage of providing IP agilitygoverned by a local algorithm and set of IP addresses exchanged by eachcommunicating pair of nodes. This local governance issession-independent in that it may govern communications between a pairof nodes, irrespective of the session or end points being transferredbetween the directly communicating pair of nodes.

[0130] In the scalable embodiments, blocks of IP addresses are allocatedto each node in the network. (This scalability will increase in thefuture, when Internet Protocol addresses are increased to 128-bitfields, vastly increasing the number of distinctly addressable nodes).Each node can thus use any of the IP addresses assigned to that node tocommunicate with other nodes in the network. Indeed, each pair ofcommunicating nodes can use a plurality of source IP addresses anddestination IP addresses for communicating with each other.

[0131] Each communicating pair of nodes in a chain participating in anysession stores two blocks of IP addresses, called netblocks, and analgorithm and randomization seed for selecting, from each netblock, thenext pair of source/destination IP addresses that will be used totransmit the next message. In other words, the algorithm governs thesequential selection of IP-address pairs, one sender and one receiver IPaddress, from each netblock. The combination of algorithm, seed, andnetblock (IP address block) will be called a “hopblock.” A router issuesseparate transmit and receive hopblocks to its clients. The send addressand the receive address of the IP header of each outgoing packet sent bythe client are filled with the send and receive IP addresses generatedby the algorithm. The algorithm is “clocked” (indexed) by a counter sothat each time a pair is used, the algorithm turns out a new transmitpair for the next packet to be sent.

[0132] The router's receive hopblock is identical to the client'stransmit hopblock. The router uses the receive hopblock to predict whatthe send and receive IP address pair for the next expected packet fromthat client will be. Since packets can be received out of order, it isnot possible for the router to predict with certainty what IP addresspair will be on the next sequential packet. To account for this problem,the router generates a range of predictions encompassing the number ofpossible transmitted packet send/receive addresses, of which the nextpacket received could leap ahead. Thus, if there is a vanishingly smallprobability that a given packet will arrive at the router ahead of 5packets transmitted by the client before the given packet, then therouter can generate a series of 6 send/receive IP address pairs (or “hopwindow”) to compare with the next received packet. When a packet isreceived, it is marked in the hop window as such, so that a secondpacket with the same IP address pair will be discarded. If anout-of-sequence packet does not arrive within a predetermined timeoutperiod, it can be requested for retransmission or simply discarded fromthe receive table, depending upon the protocol in use for thatcommunications session, or possibly by convention.

[0133] When the router receives the client's packet, it compares thesend and receive IP addresses of the packet with the next N predictedsend and receive IP address pairs and rejects the packet if it is not amember of this set. Received packets that do not have the predictedsource/destination IP addresses falling with the window are rejected,thus thwarting possible hackers. (With the number of possiblecombinations, even a fairly large window would be hard to fall into atrandom.) If it is a member of this set, the router accepts the packetand processes it further. This link-based IP-hopping strategy, referredto as “IHOP,” is a network element that stands on its own and is notnecessarily accompanied by elements of the boutique system describedabove. If the routing agility feature described in connection with theboutique embodiment is combined with this link-based IP-hoppingstrategy, the router's next step would be to decrypt the TARP header todetermine the destination TARP router for the packet and determine whatshould be the next hop for the packet. The TARP router would thenforward the packet to a random TARP router or the destination TARProuter with which the source TARP router has a link-based IP hoppingcommunication established.

[0134]FIG. 8 shows how a client computer 801 and a TARP router 811 canestablish a secure session. When client 801 seeks to establish an IHOPsession with TARP router 811, the client 801 sends “securesynchronization” request (“SSYN”) packet 821 to the TARP router 811.This SYN packet 821 contains the client's 801 authentication token, andmay be sent to the router 811 in an encrypted format. The source anddestination IP numbers on the packet 821 are the client's 801 currentfixed IP address, and a “known” fixed IP address for the router 811.(For security purposes, it may be desirable to reject any packets fromoutside of the local network that are destined for the router's knownfixed IP address.) Upon receipt and validation of the client's 801 SSYNpacket 821, the router 811 responds by sending an encrypted “securesynchronization acknowledgment” (“SSYN ACK”) 822 to the client 801. ThisSSYN ACK 822 will contain the transmit and receive hopblocks that theclient 801 will use when communicating with the TARP router 811. Theclient 801 will acknowledge the TARP router's 811 response packet 822 bygenerating an encrypted SSYN ACK ACK packet 823 which will be sent fromthe client's 801 fixed IP address and to the TARP router's 811 knownfixed IP address. The client 801 will simultaneously generate a SSYN ACKACK packet; this SSYN ACK packet, referred to as the Secure SessionInitiation (SSI) packet 824, will be sent with the first {sender,receiver} IP pair in the client's transmit table 921 (FIG. 9), asspecified in the transmit hopblock provided by the TARP router 811 inthe SSYN ACK packet 822. The TARP router 811 will respond to the SSIpacket 824 with an SSI ACK packet 825, which will be sent with the first{sender, receiver} IP pair in the TARP router's transmit table 923. Oncethese packets have been successfully exchanged, the securecommunications session is established, and all further securecommunications between the client 801 and the TARP router 811 will beconducted via this secure session, as long as synchronization ismaintained. If synchronization is lost, then the client 801 and TARProuter 802 may re-establish the secure session by the procedure outlinedin FIG. 8 and described above.

[0135] While the secure session is active, both the client 901 and TARProuter 911 (FIG. 9) will maintain their respective transmit tables 921,923 and receive tables 922, 924, as provided by the TARP router duringsession synchronization 822. It is important that the sequence of IPpairs in the client's transmit table 921 be identical to those in theTARP router's receive table 924; similarly, the sequence of IP pairs inthe client's receive table 922 must be identical to those in therouter's transmit table 923. This is required for the sessionsynchronization to be maintained. The client 901 need maintain only onetransmit table 921 and one receive table 922 during the course of thesecure session. Each sequential packet sent by the client 901 willemploy the next {send, receive} IP address pair in the transmit table,regardless of TCP or UDP session. The TARP router 911 will expect eachpacket arriving from the client 901 to bear the next IP address pairshown in its receive table.

[0136] Since packets can arrive out of order, however, the router 911can maintain a “look ahead” buffer in its receive table, and will markpreviously-received IP pairs as invalid for future packets; any futurepacket containing an IP pair that is in the look-ahead buffer but ismarked as previously received will be discarded. Communications from theTARP router 911 to the client 901 are maintained in an identical manner;in particular, the router 911 will select the next IP address pair fromits transmit table 923 when constructing a packet to send to the client901, and the client 901 will maintain a look-ahead buffer of expected IPpairs on packets that it is receiving. Each TARP router will maintainseparate pairs of transmit and receive tables for each client that iscurrently engaged in a secure session with or through that TARP router.

[0137] While clients receive their hopblocks from the first serverlinking them to the Internet, routers exchange hopblocks. When a routerestablishes a link-based IP-hopping communication regime with anotherrouter, each router of the pair exchanges its transmit hopblock. Thetransmit hopblock of each router becomes the receive hopblock of theother router. The communication between routers is governed as describedby the example of a client sending a packet to the first router.

[0138] While the above strategy works fine in the IP milieu, many localnetworks that are connected to the Internet are Ethernet systems. InEthernet, the IP addresses of the destination devices must be translatedinto hardware addresses, and vice versa, using known processes (“addressresolution protocol,” and “reverse address resolution protocol”).However, if the link-based IP-hopping strategy is employed, thecorrelation process would become explosive and burdensome. Analternative to the link-based IP hopping strategy may be employed withinan Ethernet network. The solution is to provide that the node linkingthe Internet to the Ethernet (call it the border node) use thelink-based IP-hopping communication regime to communicate with nodesoutside the Ethernet LAN. Within the Ethernet LAN, each TARP node wouldhave a single IP address which would be addressed in the conventionalway. Instead of comparing the {sender, receiver} IP address pairs toauthenticate a packet, the intra-LAN TARP node would use one of the IPheader extension fields to do so. Thus, the border node uses analgorithm shared by the intra-LAN TARP node to generate a symbol that isstored in the free field in the IP header, and the intra-LAN TARP nodegenerates a range of symbols based on its prediction of the nextexpected packet to be received from that particular source IP address.The packet is rejected if it does not fall into the set of predictedsymbols (for example, numerical values) or is accepted if it does.Communications from the intra-LAN TARP node to the border node areaccomplished in the same manner, though the algorithm will necessarilybe different for security reasons. Thus, each of the communicating nodeswill generate transmit and receive tables in a similar manner to that ofFIG. 9; the intra-LAN TARP nodes transmit table will be identical to theborder node's receive table, and the intra-LAN TARP node's receive tablewill be identical to the border node's transmit table.

[0139] The algorithm used for IP address-hopping can be any desiredalgorithm. For example, the algorithm can be a given pseudo-randomnumber generator that generates numbers of the range covering theallowed IP addresses with a given seed. Alternatively, the sessionparticipants can assume a certain type of algorithm and specify simply aparameter for applying the algorithm. For example the assumed algorithmcould be a particular pseudo-random number generator and the sessionparticipants could simply exchange seed values.

[0140] Note that there is no permanent physical distinction between theoriginating and destination terminal nodes. Either device at either endpoint can initiate a synchronization of the pair. Note also that theauthentication/synchronization-request (and acknowledgment) andhopblock-exchange may all be served by a single message so that separatemessage exchanges may not be required.

[0141] As another extension to the stated architecture, multiplephysical paths can be used by a client, in order to provide linkredundancy and further thwart attempts at denial of service and trafficmonitoring. As shown in FIG. 10, for example, client 1001 can establishthree simultaneous sessions with each of three TARP routers provided bydifferent ISPs 1011, 1012, 1013. As an example, the client 1001 can usethree different telephone lines 1021, 1022, 1023 to connect to the ISPs,or two telephone lines and a cable modem, etc. In this scheme,transmitted packets will be sent in a random fashion among the differentphysical paths. This architecture provides a high degree ofcommunications redundancy, with improved immunity from denial-of-serviceattacks and traffic monitoring.

2. Further Extensions

[0142] The following describes various extensions to the techniques,systems, and methods described above. As described above, the securityof communications occurring between computers in a computer network(such as the Internet, an Ethernet, or others) can be enhanced by usingseemingly random source and destination Internet Protocol (IP) addressesfor data packets transmitted over the network. This feature preventseavesdroppers from determining which computers in the network arecommunicating with each other while permitting the two communicatingcomputers to easily recognize whether a given received data packet islegitimate or not. In one embodiment of the above-described systems, anIP header extension field is used to authenticate incoming packets on anEthernet.

[0143] Various extensions to the previously described techniquesdescribed herein include: (1) use of hopped hardware or “MAC” addressesin broadcast type network; (2) a self-synchronization technique thatpermits a computer to automatically regain synchronization with asender; (3) synchronization algorithms that allow transmitting andreceiving computers to quickly re-establish synchronization in the eventof lost packets or other events; and (4) a fast-packet rejectionmechanism for rejecting invalid packets. Any or all of these extensionscan be combined with the features described above in any of variousways.

A. Hardware Address Hopping

[0144] Internet protocol-based communications techniques on a LAN—oracross any dedicated physical medium-typically embed the IP packetswithin lower-level packets, often referred to as “frames.” As shown inFIG. 11, for example, a first Ethernet frame 1150 comprises a frameheader 1101 and two embedded IP packets IP1 and IP2, while a secondEthernet frame 1160 comprises a different frame header 1104 and a singleIP packet IP3. Each frame header generally includes a source hardwareaddress 101A and a destination hardware address 1101B; other well-knownfields in frame headers are omitted from FIG. 11 for clarity. Twohardware nodes communicating over a physical communication channelinsert appropriate source and destination hardware addresses to indicatewhich nodes on the channel or network should receive the frame.

[0145] It may be possible for a nefarious listener to acquireinformation about the contents of a frame and/or its communicants byexamining frames on a local network rather than (or in addition to) theIP packets themselves. This is especially true in broadcast media, suchas Ethernet, where it is necessary to insert into the frame header thehardware address of the machine that generated the frame and thehardware address of the machine to which frame is being sent. All nodeson the network can potentially “see” all packets transmitted across thenetwork. This can be a problem for secure communications, especially incases where the communicants do not want for any third party to be ableto identify who is engaging in the information exchange. One way toaddress this problem is to push the address-hopping scheme down to thehardware layer. In accordance with various embodiments of the invention,hardware addresses are “hopped” in a manner similar to that used tochange IP addresses, such that a listener cannot determine whichhardware node generated a particular message nor which node is theintended recipient.

[0146]FIG. 12A shows a system in which Media Access Control (“MAC”)hardware addresses are “hopped” in order to increase security over anetwork such as an Ethernet. While the description refers to theexemplary case of an Ethernet environment, the inventive principles areequally applicable to other types of communications media. In theEthernet case, the MAC address of the sender and receiver are insertedinto the Ethernet frame and can be observed by anyone on the LAN who iswithin the broadcast range for that frame. For secure communications, itbecomes desirable to generate frames with MAC addresses that are notattributable to any specific sender or receiver.

[0147] As shown in FIG. 12A, two computer nodes 1201 and 1202communicate over a communication channel such as an Ethernet. Each nodeexecutes one or more application programs 1203 and 1218 that communicateby transmitting packets through communication software 1204 and 1217,respectively. Examples of application programs include videoconferencing, e-mail, word processing programs, telephony, and the like.Communication software 1204 and 1217 can comprise, for example, an OSIlayered architecture or “stack” that standardizes various servicesprovided at different levels of functionality.

[0148] The lowest levels of communication software 1204 and 1217communicate with hardware components 1206 and 1214 respectively, each ofwhich can include one or more registers 1207 and 1215 that allow thehardware to be reconfigured or controlled in accordance with variouscommunication protocols. The hardware components (an Ethernet networkinterface card, for example) communicate with each other over thecommunication medium. Each hardware component is typically pre-assigneda fixed hardware address or MAC number that identifies the hardwarecomponent to other nodes on the network. One or more interface driverscontrol the operation of each card and can, for example, be configuredto accept or reject packets from certain hardware addresses. As will bedescribed in more detail below, various embodiments of the inventiveprinciples provide for “hopping” different addresses using one or morealgorithms and one or more moving windows that track a range of validaddresses to validate received packets. Packets transmitted according toone or more of the inventive principles will be generally referred to as“secure” packets or “secure communications” to differentiate them fromordinary data packets that are transmitted in the clear using ordinary,machine-correlated addresses.

[0149] One straightforward method of generating non-attributable MACaddresses is an extension of the IP hopping scheme. In this scenario,two machines on the same LAN that desire to communicate in a securefashion exchange random-number generators and seeds, and createsequences of quasi-random MAC addresses for synchronized hopping. Theimplementation and synchronization issues are then similar to that of IPhopping.

[0150] This approach, however, runs the risk of using MAC addresses thatare currently active on the LAN—which, in turn, could interruptcommunications for those machines. Since an Ethernet MAC address is atpresent 48 bits in length, the chance of randomly misusing an active MACaddress is actually quite small. However, if that figure is multipliedby a large number of nodes (as would be found on an extensive LAN), by alarge number of frames (as might be the case with packet voice orstreaming video), and by a large number of concurrent Virtual PrivateNetworks (VPNs), then the chance that a non-secure machine's MAC addresscould be used in an address-hopped frame can become non-trivial. Inshort, any scheme that runs even a small risk of interruptingcommunications for other machines on the LAN is bound to receiveresistance from prospective system administrators. Nevertheless, it istechnically feasible, and can be implemented without risk on a LAN onwhich there is a small number of machines, or if all of the machines onthe LAN are engaging in MAC-hopped communications.

[0151] Synchronized MAC address hopping may incur some overhead in thecourse of session establishment, especially if there are multiplesessions or multiple nodes involved in the communications. A simplermethod of randomizing MAC addresses is to allow each node to receive andprocess every incident frame on the network. Typically, each networkinterface driver will check the destination MAC address in the header ofevery incident frame to see if it matches that machine's MAC address; ifthere is no match, then the frame is discarded. In one embodiment,however, these checks can be disabled, and every incident packet ispassed to the TARP stack for processing. This will be referred to as“promiscuous” mode, since every incident frame is processed. Promiscuousmode allows the sender to use completely random, unsynchronized MACaddresses, since the destination machine is guaranteed to process theframe. The decision as to whether the packet was truly intended for thatmachine is handled by the TARP stack, which checks the source anddestination IP addresses for a match in its IP synchronization tables.If no match is found, the packet is discarded; if there is a match, thepacket is unwrapped, the inner header is evaluated, and if the innerheader indicates that the packet is destined for that machine then thepacket is forwarded to the IP stack-otherwise it is discarded.

[0152] One disadvantage of purely-random MAC address hopping is itsimpact on processing overhead; that is, since every incident frame mustbe processed, the machine's CPU is engaged considerably more often thanif the network interface driver is discriminating and rejecting packetsunilaterally. A compromise approach is to select either a single fixedMAC address or a small number of MAC addresses (e.g., one for eachvirtual private network on an Ethernet) to use for MAC-hoppedcommunications, regardless of the actual recipient for which the messageis intended. In this mode, the network interface driver can check eachincident frame against one (or a few) pre-established MAC addresses,thereby freeing the CPU from the task of physical-layer packetdiscrimination. This scheme does not betray any useful information to aninterloper on the LAN; in particular, every secure packet can already beidentified by a unique packet type in the outer header. However, sinceall machines engaged in secure communications would either be using thesame MAC address, or be selecting from a small pool of predetermined MACaddresses, the association between a specific machine and a specific MACaddress is effectively broken.

[0153] In this scheme, the CPU will be engaged more often than it wouldbe in non-secure communications (or in synchronized MAC addresshopping), since the network interface driver cannot always unilaterallydiscriminate between secure packets that are destined for that machine,and secure packets from other VPNs. However, the non-secure traffic iseasily eliminated at the network interface, thereby reducing the amountof processing required of the CPU. There are boundary conditions wherethese statements would not hold, of course-e.g., if all of the trafficon the LAN is secure traffic, then the CPU would be engaged to the samedegree as it is in the purely-random address hopping case;alternatively, if each VPN on the LAN uses a different MAC address, thenthe network interface can perfectly discriminate secure frames destinedfor the local machine from those constituting other VPNs. These areengineering tradeoffs that might be best handled by providingadministrative options for the users when installing the software and/orestablishing VPNs.

[0154] Even in this scenario, however, there still remains a slight riskof selecting MAC addresses that are being used by one or more nodes onthe LAN. One solution to this problem is to formally assign one addressor a range of addresses for use in MAC-hopped communications. This istypically done via an assigned numbers registration authority; e.g., inthe case of Ethernet, MAC address ranges are assigned to vendors by theInstitute of Electrical and Electronics Engineers (IEEE). Aformally-assigned range of addresses would ensure that secure frames donot conflict with any properly-configured and properly-functioningmachines on the LAN.

[0155] Reference will now be made to FIGS. 12A and 12B in order todescribe the many combinations and features that follow the inventiveprinciples. As explained above, two computer nodes 1201 and 1202 areassumed to be communicating over a network or communication medium suchas an Ethernet. A communication protocol in each node (1204 and 1217,respectively) contains a modified element 1205 and 1216 that performscertain functions that deviate from the standard communicationprotocols. In particular, computer node 1201 implements a first “hop”algorithm 1208X that selects seemingly random source and destination IPaddresses (and, in one embodiment, seemingly random IP headerdiscriminator fields) in order to transmit each packet to the othercomputer node. For example, node 1201 maintains a transmit table 1208containing triplets of source (S), destination (D), and discriminatorfields (DS) that are inserted into outgoing IP packet headers. The tableis generated through the use of an appropriate algorithm (e.g., a randomnumber generator that is seeded with an appropriate seed) that is knownto the recipient node 1202. As each new IP packet is formed, the nextsequential entry out of the sender's transmit table 1208 is used topopulate the IP source, IP destination, and IP header extension field(e.g., discriminator field). It will be appreciated that the transmittable need not be created in advance but could instead be createdon-the-fly by executing the algorithm when each packet is formed.

[0156] At the receiving node 1202, the same IP hop algorithm 1222X ismaintained and used to generate a receive table 1222 that lists validtriplets of source IP address, destination IP address, and discriminatorfield. This is shown by virtue of the first five entries of transmittable 1208 matching the second five entries of receive table 1222. (Thetables may be slightly offset at any particular time due to lostpackets, misordered packets, or transmission delays). Additionally, node1202 maintains a receive window W3 that represents a list of valid IPsource, IP destination, and discriminator fields that will be acceptedwhen received as part of an incoming IP packet. As packets are received,window W3 slides down the list of valid entries, such that the possiblevalid entries change over time. Two packets that arrive out of order butare nevertheless matched to entries within window W3 will be accepted;those falling outside of window W3 will be rejected as invalid. Thelength of window W3 can be adjusted as necessary to reflect networkdelays or other factors.

[0157] Node 1202 maintains a similar transmit table 1221 for creating IPpackets and frames destined for node 1201 using a potentially differenthopping algorithm 1221X, and node 1201 maintains a matching receivetable 1209 using the same algorithm 1209X. As node 1202 transmitspackets to node 1201 using seemingly random IP source, IP destination,and/or discriminator fields, node 1201 matches the incoming packetvalues to those falling within window W1 maintained in its receivetable. In effect, transmit table 1208 of node 1201 is synchronized(i.e., entries are selected in the same order) to receive table 1222 ofreceiving node 1202. Similarly, transmit table 1221 of node 1202 issynchronized to receive table 1209 of node 1201. It will be appreciatedthat although a common algorithm is shown for the source, destinationand discriminator fields in FIG. 12A (using, e.g., a different seed foreach of the three fields), an entirely different algorithm could in factbe used to establish values for each of these fields. It will also beappreciated that one or two of the fields can be “hopped” rather thanall three as illustrated.

[0158] In accordance with another aspect of the invention, hardware or“MAC” addresses are hopped instead of or in addition to IP addressesand/or the discriminator field in order to improve security in a localarea or broadcast-type network. To that end, node 1201 further maintainsa transmit table 1210 using a transmit algorithm 1210X to generatesource and destination hardware addresses that are inserted into frameheaders (e.g., fields 1101A and 1101B in FIG. 11) that are synchronizedto a corresponding receive table 1224 at node 1202. Similarly, node 1202maintains a different transmit table 1223 containing source anddestination hardware addresses that is synchronized with a correspondingreceive table 1211 at node 1201. In this manner, outgoing hardwareframes appear to be originating from and going to completely randomnodes on the network, even though each recipient can determine whether agiven packet is intended for it or not. It will be appreciated that thehardware hopping feature can be implemented at a different level in thecommunications protocol than the IP hopping feature (e.g., in a carddriver or in a hardware card itself to improve performance).

[0159]FIG. 12B shows three different embodiments or modes that can beemployed using the aforementioned principles. In a first mode referredto as “promiscuous” mode, a common hardware address (e.g., a fixedaddress for source and another for destination) or else a completelyrandom hardware address is used by all nodes on the network, such that aparticular packet cannot be attributed to any one node. Each node mustinitially accept all packets containing the common (or random) hardwareaddress and inspect the IP addresses or discriminator field to determinewhether the packet is intended for that node. In this regard, either theIP addresses or the discriminator field or both can be varied inaccordance with an algorithm as described above. As explainedpreviously, this may increase each node's overhead since additionalprocessing is involved to determine whether a given packet has validsource and destination hardware addresses.

[0160] In a second mode referred to as “promiscuous per VPN” mode, asmall set of fixed hardware addresses are used, with a fixedsource/destination hardware address used for all nodes communicatingover a virtual private network. For example, if there are six nodes onan Ethernet, and the network is to be split up into two private virtualnetworks such that nodes on one VPN can communicate with only the othertwo nodes on its own VPN, then two sets of hardware addresses could beused: one set for the first VPN and a second set for the second VPN.This would reduce the amount of overhead involved in checking for validframes since only packets arriving from the designated VPN would need tobe checked. IP addresses and one or more discriminator fields couldstill be hopped as before for secure communication within the VPN. Ofcourse, this solution compromises the anonymity of the VPNs (i.e., anoutsider can easily tell what traffic belongs in which VPN, though hecannot correlate it to a specific machine/person). It also requires theuse of a discriminator field to mitigate the vulnerability to certaintypes of DoS attacks. (For example, without the discriminator field, anattacker on the LAN could stream frames containing the MAC addressesbeing used by the VPN; rejecting those frames could lead to excessiveprocessing overhead. The discriminator field would provide alow-overhead means of rejecting the false packets.)

[0161] In a third mode referred to as “hardware hopping” mode, hardwareaddresses are varied as illustrated in FIG. 12A, such that hardwaresource and destination addresses are changed constantly in order toprovide non-attributable addressing. Variations on these embodiments areof course possible, and the invention is not intended to be limited inany respect by these illustrative examples.

B. Extending the Address Space

[0162] Address hopping provides security and privacy. However, the levelof protection is limited by the number of addresses in the blocks beinghopped. A hopblock denotes a field or fields modulated on a packet-wisebasis for the purpose of providing a VPN. For instance, if two nodescommunicate with IP address hopping using hopblocks of 4 addresses (2bits) each, there would be 16 possible address-pair combinations. Awindow of size 16 would result in most address pairs being accepted asvalid most of the time. This limitation can be overcome by using adiscriminator field in addition to or instead of the hopped addressfields. The discriminator field would be hopped in exactly the samefashion as the address fields and it would be used to determine whethera packet should be processed by a receiver.

[0163] Suppose that two clients, each using four-bit hopblocks, wouldlike the same level of protection afforded to clients communicating viaIP hopping between two A blocks (24 address bits eligible for hopping).A discriminator field of 20 bits, used in conjunction with the 4 addressbits eligible for hopping in the IP address field, provides this levelof protection. A 24-bit discriminator field would provide a similarlevel of protection if the address fields were not hopped or ignored.Using a discriminator field offers the following advantages: (1) anarbitrarily high level of protection can be provided, and (2) addresshopping is unnecessary to provide protection. This may be important inenvironments where address hopping would cause routing problems.

C. Synchronization Techniques

[0164] It is generally assumed that once a sending node and receivingnode have exchanged algorithms and seeds (or similar informationsufficient to generate quasi-random source and destination tables),subsequent communication between the two nodes will proceed smoothly.Realistically, however, two nodes may lose synchronization due tonetwork delays or outages, or other problems. Consequently, it isdesirable to provide means for re-establishing synchronization betweennodes in a network that have lost synchronization.

[0165] One possible technique is to require that each node provide anacknowledgment upon successful receipt of each packet and, if noacknowledgment is received within a certain period of time, to re-sendthe unacknowledged packet. This approach, however, drives up overheadcosts and may be prohibitive in high-throughput environments such asstreaming video or audio, for example.

[0166] A different approach is to employ an automatic synchronizingtechnique that will be referred to herein as “self-synchronization.” Inthis approach, synchronization information is embedded into each packet,thereby enabling the receiver to re-synchronize itself upon receipt of asingle packet if it determines that is has lost synchronization with thesender. (If communications are already in progress, and the receiverdetermines that it is still in sync with the sender, then there is noneed to re-synchronize.) A receiver could detect that it was out ofsynchronization by, for example, employing a “dead-man” timer thatexpires after a certain period of time, wherein the timer is reset witheach valid packet. A time stamp could be hashed into the public syncfield (see below) to preclude packet-retry attacks.

[0167] In one embodiment, a “sync field” is added to the header of eachpacket sent out by the sender. This sync field could appear in the clearor as part of an encrypted portion of the packet. Assuming that a senderand receiver have selected a random-number generator (RNG) and seedvalue, this combination of RNG and seed can be used to generate arandom-number sequence (RNS). The RNS is then used to generate asequence of source/destination IP pairs (and, if desired, discriminatorfields and hardware source and destination addresses), as describedabove. It is not necessary, however, to generate the entire sequence (orthe first N-1 values) in order to generate the Nth random number in thesequence; if the sequence index N is known, the random valuecorresponding to that index can be directly generated (see below).Different RNGs (and seeds) with different fundamental periods could beused to generate the source and destination IP sequences, but the basicconcepts would still apply. For the sake of simplicity, the followingdiscussion will assume that IP source and destination address pairs(only) are hopped using a single RNG sequencing mechanism.

[0168] In accordance with a “self-synchronization” feature, a sync fieldin each packet header provides an index (i.e., a sequence number) intothe RNS that is being used to generate IP pairs. Plugging this indexinto the RNG that is being used to generate the RNS yields a specificrandom number value, which in turn yields a specific IP pair. That is,an IP pair can be generated directly from knowledge of the RNG, seed,and index number; it is not necessary, in this scheme, to generate theentire sequence of random numbers that precede the sequence valueassociated with the index number provided.

[0169] Since the communicants have presumably previously exchanged RNGsand seeds, the only new information that must be provided in order togenerate an IP pair is the sequence number. If this number is providedby the sender in the packet header, then the receiver need only plugthis number into the RNG in order to generate an IP pair—and thus verifythat the IP pair appearing in the header of the packet is valid. In thisscheme, if the sender and receiver lose synchronization, the receivercan immediately re-synchronize upon receipt of a single packet by simplycomparing the IP pair in the packet header to the IP pair generated fromthe index number. Thus, synchronized communications can be resumed uponreceipt of a single packet, making this scheme ideal for multicastcommunications. Taken to the extreme, it could obviate the need forsynchronization tables entirely; that is, the sender and receiver couldsimply rely on the index number in the sync field to validate the IPpair on each packet, and thereby eliminate the tables entirely.

[0170] The aforementioned scheme may have some inherent security issuesassociated with it—namely, the placement of the sync field. If the fieldis placed in the outer header, then an interloper could observe thevalues of the field and their relationship to the IP stream. This couldpotentially compromise the algorithm that is being used to generate theIP-address sequence, which would compromise the security of thecommunications. If, however, the value is placed in the inner header,then the sender must decrypt the inner header before it can extract thesync value and validate the IP pair; this opens up the receiver tocertain types of denial-of-service (DoS) attacks, such as packet replay.That is, if the receiver must decrypt a packet before it can validatethe IP pair, then it could potentially be forced to expend a significantamount of processing on decryption if an attacker simply retransmitspreviously valid packets. Other attack methodologies are possible inthis scenario.

[0171] A possible compromise between algorithm security and processingspeed is to split up the sync value between an inner (encrypted) andouter (unencrypted) header. That is, if the sync value is sufficientlylong, it could potentially be split into a rapidly-changing part thatcan be viewed in the clear, and a fixed (or very slowly changing) partthat must be protected. The part that can be viewed in the clear will becalled the “public sync” portion and the part that must be protectedwill be called the “private sync” portion.

[0172] Both the public sync and private sync portions are needed togenerate the complete sync value. The private portion, however, can beselected such that it is fixed or will change only occasionally. Thus,the private sync value can be stored by the recipient, thereby obviatingthe need to decrypt the header in order to retrieve it. If the senderand receiver have previously agreed upon the frequency with which theprivate part of the sync will change, then the receiver can selectivelydecrypt a single header in order to extract the new private sync if thecommunications gap that has led to lost synchronization has exceeded thelifetime of the previous private sync. This should not represent aburdensome amount of decryption, and thus should not open up thereceiver to denial-of-service attack simply based on the need tooccasionally decrypt a single header.

[0173] One implementation of this is to use a hashing function with aone-to-one mapping to generate the private and public sync portions fromthe sync value. This implementation is shown in FIG. 13, where (forexample) a first ISP 1302 is the sender and a second ISP 1303 is thereceiver. (Other alternatives are possible from FIG. 13.) A transmittedpacket comprises a public or “outer” header 1305 that is not encrypted,and a private or “inner” header 1306 that is encrypted using for examplea link key. Outer header 1305 includes a public sync portion while innerheader 1306 contains the private sync portion. A receiving node decryptsthe inner header using a decryption function 1307 in order to extractthe private sync portion. This step is necessary only if the lifetime ofthe currently buffered private sync has expired. (If thecurrently-buffered private sync is still valid, then it is simplyextracted from memory and “added” (which could be an inverse hash) tothe public sync, as shown in step 1308.) The public and decryptedprivate sync portions are combined in function 1308 in order to generatethe combined sync 1309. The combined sync (1309) is then fed into theRNG (1310) and compared to the IP address pair (13 11) to validate orreject the packet.

[0174] An important consideration in this architecture is the concept of“future” and “past” where the public sync values are concerned. Thoughthe sync values, themselves, should be random to prevent spoofingattacks, it may be important that the receiver be able to quicklyidentify a sync value that has already been sent—even if the packetcontaining that sync value was never actually received by the receiver.One solution is to hash a time stamp or sequence number into the publicsync portion, which could be quickly extracted, checked, and discarded,thereby validating the public sync portion itself.

[0175] In one embodiment, packets can be checked by comparing thesource/destination IP pair generated by the sync field with the pairappearing in the packet header. If (1) they match, (2) the time stamp isvalid, and (3) the dead-man timer has expired, then re-synchronizationoccurs; otherwise, the packet is rejected. If enough processing power isavailable, the dead-man timer and synchronization tables can be avoidedaltogether, and the receiver would simply resynchronize (e.g., validate)on every packet.

[0176] The foregoing scheme may require large-integer (e.g., 160-bit)math, which may affect its implementation. Without such large-integerregisters, processing throughput would be affected, thus potentiallyaffecting security from a denial-of-service standpoint. Nevertheless, aslarge-integer math processing features become more prevalent, the costsof implementing such a feature will be reduced.

D. Other Synchronization Schemes

[0177] As explained above, if W or more consecutive packets are lostbetween a transmitter and receiver in a VPN (where W is the windowsize), the receiver's window will not have been updated and thetransmitter will be transmitting packets not in the receiver's window.The sender and receiver will not recover synchronization until perhapsthe random pairs in the window are repeated by chance. Therefore, thereis a need to keep a transmitter and receiver in synchronization wheneverpossible and to re-establish synchronization whenever it is lost.

[0178] A “checkpoint” scheme can be used to regain synchronizationbetween a sender and a receiver that have fallen out of synchronization.In this scheme, a checkpoint message comprising a random IP address pairis used for communicating synchronization information. In oneembodiment, two messages are used to communicate synchronizationinformation between a sender and a recipient:

[0179] 1. SYNC_REQ is a message used by the sender to indicate that itwants to synchronize; and

[0180] 2. SYNC_ACK is a message used by the receiver to inform thetransmitter that it has been synchronized.

[0181] According to one variation of this approach, both the transmitterand receiver maintain three checkpoints (see FIG. 14):

[0182] 1. In the transmitter, ckpt_o (“checkpoint old”) is the IP pairthat was used to re-send the last SYNC_REQ packet to the receiver. Inthe receiver, ckpt_o (“checkpoint old”) is the IP pair that receivesrepeated SYNC_REQ packets from the transmitter.

[0183] 2. In the transmitter, ckpt_n (“checkpoint new”) is the IP pairthat will be used to send the next SYNC_REQ packet to the receiver. Inthe receiver, ckpt_n (“checkpoint new”) is the IP pair that receives anew SYNC_REQ packet from the transmitter and which causes the receiver'swindow to be re-aligned, ckpt_o set to ckpt_n, a new ckpt_n to begenerated and a new ckpt_r to be generated.

[0184] 3. In the transmitter, ckpt_r is the IP pair that will be used tosend the next SYNC_ACK packet to the receiver. In the receiver, ckpt_ris the IP pair that receives a new SYNC_ACK packet from the transmitterand which causes a new ckpt_n to be generated. Since SYNC_ACK istransmitted from the receiver ISP to the sender ISP, the transmitterckpt_r refers to the ckpt_r of the receiver and the receiver ckpt_rrefers to the ckpt_r of the transmitter (see FIG. 14).

[0185] When a transmitter initiates synchronization, the IP pair it willuse to transmit the next data packet is set to a predetermined value andwhen a receiver first receives a SYNC_REQ, the receiver window isupdated to be centered on the transmitter's next IP pair. This is theprimary mechanism for checkpoint synchronization.

[0186] Synchronization can be initiated by a packet counter (e.g., afterevery N packets transmitted, initiate a synchronization) or by a timer(every S seconds, initiate a synchronization) or a combination of both.See FIG. 15. From the transmitter's perspective, this technique operatesas follows: (1) Each transmitter periodically transmits a “sync request”message to the receiver to make sure that it is in sync. (2). If thereceiver is still in sync, it sends back a “sync ack” message. (If thisworks, no further action is necessary). (3) If no “sync ack” has beenreceived within a period of time, the transmitter retransmits the syncrequest again. If the transmitter reaches the next checkpoint withoutreceiving a “sync ack” response, then synchronization is broken, and thetransmitter should stop transmitting. The transmitter will continue tosend sync_reqs until it receives a sync_ack, at which point transmissionis reestablished.

[0187] From the receiver's perspective, the scheme operates as follows:(1) when it receives a “sync request” request from the transmitter, itadvances its window to the next checkpoint position (even skipping pairsif necessary), and sends a “sync ack” message to the transmitter. Ifsync was never lost, then the “jump ahead” really just advances to thenext available pair of addresses in the table (i.e., normaladvancement).

[0188] If an interloper intercepts the “sync request” messages and triesto interfere with communication by sending new ones, it will be ignoredif the synchronization has been established or it will actually help tore-establish synchronization.

[0189] A window is realigned whenever a re-synchronization occurs. Thisrealignment entails updating the receiver's window to straddle theaddress pairs used by the packet transmitted immediately after thetransmission of the SYNC_REQ packet. Normally, the transmitter andreceiver are in synchronization with one another. However, when networkevents occur, the receiver's window may have to be advanced by manysteps during resynchronization. In this case, it is desirable to movethe window ahead without having to step through the intervening randomnumbers sequentially. (This feature is also desirable for the auto-syncapproach discussed above).

E. Random Number Generator with a Jump-Ahead Capability

[0190] An attractive method for generating randomly hopped addresses isto use identical random number generators in the transmitter andreceiver and advance them as packets are transmitted and received. Thereare many random number generation algorithms that could be used. Eachone has strengths and weaknesses for address hopping applications.

[0191] Linear congruential random number generators (LCRs) are fast,simple and well characterized random number generators that can be madeto jump ahead n steps efficiently. An LCR generates random numbers X₁,X₂, X₃ . . . X_(k) starting with seed X₀ using a recurrence

X _(i=)(a X _(i−1) +b) mod c,  (1)

[0192] where a, b and c define a particular LCR. Another expression forX_(i),

X _(i)=((a ^(i)(X ₀ +b)−b)/(a−1)) mod c  (2)

[0193] enables the jump-ahead capability. The factor a^(i) can grow verylarge even for modest i if left unfettered. Therefore some specialproperties of the modulo operation can be used to control the size andprocessing time required to compute (2). (2) can be rewritten as:

X _(i)=(a ^(i)(X ₀(a−1)+b)−b)/(a−1) mod c.  (3)

[0194] It can be shown that:

(a ^(i)(X ₀(a−1)+b)−b)/(a−1) mod c=((a ^(i)mod((a−1)c)(X₀(a−1)+b)−b)/(a−1)) mod c  (4).

[0195] (X₀(a−1)+b) can be stored as (X₀(a−1)+b) mod c, b as b mod c andcompute a^(i) mod((a−1)c) (this requires O(log(i)) steps).

[0196] A practical implementation of this algorithm would jump a fixeddistance, n, between synchronizations; this is tantamount tosynchronizing every n packets. The window would commence n IP pairs fromthe start of the previous window. Using X_(j) ^(w), the random number atthe j^(th) checkpoint, as X₀ and n as i, a node can store an mod((a−1)c)once per LCR and set

X _(j+1) ^(w) =X _(n(j+1))=((a ^(n)mod((a−1)c)(X _(j)^(w)(a−1)+b)−b)/(a−1))mod c,  (5)

[0197] to generate the random number for the j+1^(th) synchronization.Using this construction, a node could jump ahead an arbitrary (butfixed) distance between synchronizations in a constant amount of time(independent of n).

[0198] Pseudo-random number generators, in general, and LCRs, inparticular, will eventually repeat their cycles. This repetition maypresent vulnerability in the IP hopping scheme. An adversary wouldsimply have to wait for a repeat to predict future sequences. One way ofcoping with this vulnerability is to create a random number generatorwith a known long cycle. A random sequence can be replaced by a newrandom number generator before it repeats. LCRs can be constructed withknown long cycles. This is not currently true of many random numbergenerators.

[0199] Random number generators can be cryptographically insecure. Anadversary can derive the RNG parameters by examining the output or partof the output. This is true of LCGs. This vulnerability can be mitigatedby incorporating an encryptor, designed to scramble the output as partof the random number generator. The random number generator prevents anadversary from mounting an attack—e.g., a known plaintext attack—againstthe encryptor.

F. Random Number Generator Example

[0200] Consider a RNG where a=31,b=4 and c=15. For this case equation(1) becomes:

X_(i)=(31 X _(i−1)+4)mod 15.  (6)

[0201] If one sets X₀₌1, equation (6) will produce the sequence 1, 5, 9,13, 2, 6, 10, 14, 3, 7, 11, 0, 4, 8, 12. This sequence will repeatindefinitely. For a jump ahead of 3 numbers in this sequencea^(n)=31³=29791, c*(a−1)=15*30=450 and a^(n) mod((a−1)c)=31³mod(15*30)=29791mod(450)=91. Equation (5) becomes:

(91(X _(i)30+4)−4)/30)mod 15  (7).

[0202] Table 1 shows the jump ahead calculations from (7). Thecalculations start at 5 and jump ahead 3. TABLE 1 I X_(i) (X_(i)30 + 4)91 (X_(i)30 + 4) − 4 ((91 (X_(i)30 + 4) − 4)/30 X_(i+3) 1 5 154 14010467 2 4 2 64 5820 194 14 7 14 424 38580 1286 11 10 11 334 30390 1013 813 8 244 22200 740 5

G. Fast Packet Filter

[0203] Address hopping VPNs must rapidly determine whether a packet hasa valid header and thus requires further processing, or has an invalidheader (a hostile packet) and should be immediately rejected. Such rapiddeterminations will be referred to as “fast packet filtering.” Thiscapability protects the VPN from attacks by an adversary who streamshostile packets at the receiver at a high rate of speed in the hope ofsaturating the receiver's processor (a so-called “denial of service”attack). Fast packet filtering is an important feature for implementingVPNs on shared media such as Ethernet.

[0204] Assuming that all participants in a VPN share an unassigned “A”block of addresses, one possibility is to use an experimental “A” blockthat will never be assigned to any machine that is not address hoppingon the shared medium. “A” blocks have a 24 bits of address that can behopped as opposed to the 8 bits in “C” blocks. In this case a hopblockwill be the “A” block. The use of the experimental “A” block is a likelyoption on an Ethernet because:

[0205] 1. The addresses have no validity outside of the Ethernet andwill not be routed out to a valid outside destination by a gateway.

[0206] 2. There are 2²⁴ (˜16 million) addresses that can be hoppedwithin each “A” block. This yields>280 trillion possible address pairsmaking it very unlikely that an adversary would guess a valid address.It also provides acceptably low probability of collision betweenseparate VPNs (all VPNs on a shared medium independently generate randomaddress pairs from the same “A” block).

[0207] 3. The packets will not be received by someone on the Ethernetwho is not on a VPN (unless the machine is in promiscuous mode)minimizing impact on non-VPN computers.

[0208] The Ethernet example will be used to describe one implementationof fast packet filtering. The ideal algorithm would quickly examine apacket header, determine whether the packet is hostile, and reject anyhostile packets or determine which active IP pair the packet headermatches. The problem is a classical associative memory problem. Avariety of techniques have been developed to solve this problem(hashing, B-trees etc). Each of these approaches has its strengths andweaknesses. For instance, hash tables can be made to operate quite fastin a statistical sense, but can occasionally degenerate into a muchslower algorithm. This slowness can persist for a period of time. Sincethere is a need to discard hostile packets quickly at all times, hashingwould be unacceptable.

H. Presence Vector Algorithm

[0209] A presence vector is a bit vector of length 2^(n) that can beindexed by n-bit numbers (each ranging from 0 to 2^(n)−1). One canindicate the presence of k n-bit numbers (not necessarily unique), bysetting the bits in the presence vector indexed by each number to 1.Otherwise, the bits in the presence vector are 0. An n-bit number, x, isone of the k numbers if and only if the x^(th) bit of the presencevector is 1. A fast packet filter can be implemented by indexing thepresence vector and looking for a 1, which will be referred to as the“test.”

[0210] For example, suppose one wanted to represent the number 135 usinga presence vector. The 135th bit of the vector would be set.Consequently, one could very quickly determine whether an address of 135was valid by checking only one bit: the 135^(th) bit. The presencevectors could be created in advance corresponding to the table entriesfor the IP addresses. In effect, the incoming addresses can be used asindices into a long vector, making comparisons very fast. As each RNGgenerates a new address, the presence vector is updated to reflect theinformation. As the window moves, the presence vector is updated to zeroout addresses that are no longer valid.

[0211] There is a trade-off between efficiency of the test and theamount of memory required for storing the presence vector(s). Forinstance, if one were to use the 48 bits of hopping addresses as anindex, the presence vector would have to be 35 terabytes. Clearly, thisis too large for practical purposes. Instead, the 48 bits can be dividedinto several smaller fields. For instance, one could subdivide the 48bits into four 12-bit fields (see FIG. 16). This reduces the storagerequirement to 2048 bytes at the expense of occasionally having toprocess a hostile packet. In effect, instead of one long presencevector, the decomposed address portions must match all four shorterpresence vectors before further processing is allowed. (If the firstpart of the address portion doesn't match the first presence vector,there is no need to check the remaining three presence vectors).

[0212] A presence vector will have a 1 in the y^(th) bit if and only ifone or more addresses with a corresponding field of y are active. Anaddress is active only if each presence vector indexed by theappropriate sub-field of the address is 1.

[0213] Consider a window of 32 active addresses and 3 checkpoints. Ahostile packet will be rejected by the indexing of one presence vectormore than 99% of the time. A hostile packet will be rejected by theindexing of all 4 presence vectors more than 99.9999995% of the time. Onaverage, hostile packets will be rejected in less than 1.02 presencevector index operations.

[0214] The small percentage of hostile packets that pass the fast packetfilter will be rejected when matching pairs are not found in the activewindow or are active checkpoints. Hostile packets that serendipitouslymatch a header will be rejected when the VPN software attempts todecrypt the header. However, these cases will be extremely rare. Thereare many other ways this method can be configured to arbitrate thespace/speed tradeoffs.

I. Further Synchronization Enhancements

[0215] A slightly modified form of the synchronization techniquesdescribed above can be employed. The basic principles of the previouslydescribed checkpoint synchronization scheme remain unchanged. Theactions resulting from the reception of the checkpoints are, however,slightly different. In this variation, the receiver will maintainbetween OoO (“Out of Order”) and 2×WINDOW_SIZE+OoO active addresses(1≦OoO≦WINDOW_SIZE and WINDOW_SIZE≧1). OoO and WINDOW_SIZE areengineerable parameters, where OoO is the minimum number of addressesneeded to accommodate lost packets due to events in the network or outof order arrivals and WINDOW_SIZE is the number of packets transmittedbefore a SYNC_REQ is issued. FIG. 17 depicts a storage array for areceiver's active addresses.

[0216] The receiver starts with the first 2×WINDOW_SIZE addresses loadedand active (ready to receive data). As packets are received, thecorresponding entries are marked as “used” and are no longer eligible toreceive packets. The transmitter maintains a packet counter, initiallyset to 0, containing the number of data packets transmitted since thelast initial transmission of a SYNC_REQ for which SYNC_ACK has beenreceived. When the transmitter packet counter equals WINDOW_SIZE, thetransmitter generates a SYNC_REQ and does its initial transmission. Whenthe receiver receives a SYNC_REQ corresponding to its current CKPT_N, itgenerates the next WINDOW_SIZE addresses and starts loading them inorder starting at the first location after the last active addresswrapping around to the beginning of the array after the end of the arrayhas been reached. The receiver's array might look like FIG. 18 when aSYNC_REQ has been received. In this case a couple of packets have beeneither lost or will be received out of order when the SYNC_REQ isreceived.

[0217]FIG. 19 shows the receiver's array after the new addresses havebeen generated. If the transmitter does not receive a SYNC_ACK, it willre-issue the SYNC_REQ at regular intervals. When the transmitterreceives a SYNC_ACK, the packet counter is decremented by WINDOW_SIZE.If the packet counter reaches 2×WINDOW_SIZE—OoO then the transmitterceases sending data packets until the appropriate SYNC_ACK is finallyreceived. The transmitter then resumes sending data packets. Futurebehavior is essentially a repetition of this initial cycle. Theadvantages of this approach are:

[0218] 1. There is no need for an efficient jump ahead in the randomnumber generator,

[0219] 2. No packet is ever transmitted that does not have acorresponding entry in the receiver side

[0220] 3. No timer based re-synchronization is necessary. This is aconsequence of 2.

[0221] 4. The receiver will always have the ability to accept datamessages transmitted within OoO messages of the most recentlytransmitted message.

J. Distributed Transmission Path Variant

[0222] Another embodiment incorporating various inventive principles isshown in FIG. 20. In this embodiment, a message transmission systemincludes a first computer 2001 in communication with a second computer2002 through a network 2011 of intermediary computers. In one variant ofthis embodiment, the network includes two edge routers 2003 and 2004each of which is linked to a plurality of Internet Service Providers(ISPs) 2005 through 2010. Each ISP is coupled to a plurality of otherISPs in an arrangement as shown in FIG. 20, which is a representativeconfiguration only and is not intended to be limiting. Each connectionbetween ISPs is labeled in FIG. 20 to indicate a specific physicaltransmission path (e.g., AD is a physical path that links ISP A (element2005) to ISP D (element 2008)). Packets arriving at each edge router areselectively transmitted to one of the ISPs to which the router isattached on the basis of a randomly or quasi-randomly selected basis.

[0223] As shown in FIG. 21, computer 2001 or edge router 2003incorporates a plurality of link transmission tables 2100 that identify,for each potential transmission path through the network, valid sets ofIP addresses that can be used to transmit the packet. For example, ADtable 2101 contains a plurality of IP source/destination pairs that arerandomly or quasi-randomly generated. When a packet is to be transmittedfrom first computer 2001 to second computer 2002, one of the link tablesis randomly (or quasi-randomly) selected, and the next validsource/destination address pair from that table is used to transmit thepacket through the network. If path AD is randomly selected, forexample, the next source/destination IP address pair (which ispre-determined to transmit between ISP A (element 2005) and ISP B(element 2008)) is used to transmit the packet. If one of thetransmission paths becomes degraded or inoperative, that link table canbe set to a “down” condition as shown in table 2105, thus preventingaddresses from being selected from that table. Other transmission pathswould be unaffected by this broken link.

[0224] 3. Continuation-In-Part Improvements

[0225] The following describes various improvements and features thatcan be applied to the embodiments described above. The improvementsinclude: (1) a load balancer that distributes packets across differenttransmission paths according to transmission path quality; (2) a DNSproxy server that transparently creates a virtual private network inresponse to a domain name inquiry; (3) a large-to-small link bandwidthmanagement feature that prevents denial-of-service attacks at systemchokepoints; (4) a traffic limiter that regulates incoming packets bylimiting the rate at which a transmitter can be synchronized with areceiver; and (5) a signaling synchronizer that allows a large number ofnodes to communicate with a central node by partitioning thecommunication function between two separate entities. Each is discussedseparately below.

A. Load Balancer

[0226] Various embodiments described above include a system in which atransmitting node and a receiving node are coupled through a pluralityof transmission paths, and wherein successive packets are distributedquasi-randomly over the plurality of paths. See, for example, FIGS. 20and 21 and accompanying description. The improvement extends this basicconcept to encompass distributing packets across different paths in sucha manner that the loads on the paths are generally balanced according totransmission link quality.

[0227] In one embodiment, a system includes a transmitting node and areceiving node that are linked via a plurality of transmission pathshaving potentially varying transmission quality. Successive packets aretransmitted over the paths based on a weight value distribution functionfor each path. The rate that packets will be transmitted over a givenpath can be different for each path. The relative “health” of eachtransmission path is monitored in order to identify paths that havebecome degraded. In one embodiment, the health of each path is monitoredin the transmitter by comparing the number of packets transmitted to thenumber of packet acknowledgements received. Each transmission path maycomprise a physically separate path (e.g., via dial-up phone line,computer network, router, bridge, or the like), or may compriselogically separate paths contained within a broadband communicationmedium (e.g., separate channels in an FDM, TDM, CDMA, or other type ofmodulated or unmodulated transmission link).

[0228] When the transmission quality of a path falls below apredetermined threshold and there are other paths that can transmitpackets, the transmitter changes the weight value used for that path,making it less likely that a given packet will be transmitted over thatpath. The weight will preferably be set no lower than a minimum valuethat keeps nominal traffic on the path. The weights of the otheravailable paths are altered to compensate for the change in the affectedpath. When the quality of a path degrades to where the transmitter isturned off by the synchronization function (i.e., no packets arearriving at the destination), the weight is set to zero. If alltransmitters are turned off, no packets are sent.

[0229] Conventional TCP/IP protocols include a “throttling” feature thatreduces the transmission rate of packets when it is determined thatdelays or errors are occurring in transmission. In this respect, timersare sometimes used to determine whether packets have been received.These conventional techniques for limiting transmission of packets,however, do not involve multiple transmission paths between two nodeswherein transmission across a particular path relative to the others ischanged based on link quality.

[0230] According to certain embodiments, in order to damp oscillationsthat might otherwise occur if weight distributions are changeddrastically (e.g., according to a step function), a linear or anexponential decay formula can be applied to gradually decrease theweight value over time that a degrading path will be used. Similarly, ifthe health of a degraded path improves, the weight value for that pathis gradually increased.

[0231] Transmission link health can be evaluated by comparing the numberof packets that are acknowledged within the transmission window (seeembodiments discussed above) to the number of packets transmitted withinthat window and by the state of the transmitter (i.e., on or off). Inother words, rather than accumulating general transmission statisticsover time for a path, one specific implementation uses the “windowing”concepts described above to evaluate transmission path health.

[0232] The same scheme can be used to shift virtual circuit paths froman “healthy” path to a “healthy” one, and to select a path for a newvirtual circuit.

[0233]FIG. 22A shows a flowchart for adjusting weight values associatedwith a plurality of transmission links. It is assumed that softwareexecuting in one or more computer nodes executes the steps shown in FIG.22A. It is also assumed that the software can be stored on acomputer-readable medium such as a magnetic or optical disk forexecution by a computer.

[0234] Beginning in step 2201, the transmission quality of a giventransmission path is measured. As described above, this measurement canbe based on a comparison between the number of packets transmitted overa particular link to the number of packet acknowledgements received overthe link (e.g., per unit time, or in absolute terms). Alternatively, thequality can be evaluated by comparing the number of packets that areacknowledged within the transmission window to the number of packetsthat were transmitted within that window. In yet another variation, thenumber of missed synchronization messages can be used to indicate linkquality. Many other variations are of course possible.

[0235] In step 2202, a check is made to determine whether more than onetransmitter (e.g., transmission path) is turned on. If not, the processis terminated and resumes at step 2201.

[0236] In step 2203, the link quality is compared to a given threshold(e.g., 50%, or any arbitrary number). If the quality falls below thethreshold, then in step 2207 a check is made to determine whether theweight is above a minimum level (e.g., 1%). If not, then in step 2209the weight is set to the minimum level and processing resumes at step2201. If the weight is above the minimum level, then in step 2208 theweight is gradually decreased for the path, then in step 2206 theweights for the remaining paths are adjusted accordingly to compensate(e.g., they are increased).

[0237] If in step 2203 the quality of the path was greater than or equalto the threshold, then in step 2204 a check is made to determine whetherthe weight is less than a steady-state value for that path. If so, thenin step 2205 the weight is increased toward the steady-state value, andin step 2206 the weights for the remaining paths are adjustedaccordingly to compensate (e.g., they are decreased). If in step 2204the weight is not less than the steady-state value, then processingresumes at step 2201 without adjusting the weights.

[0238] The weights can be adjusted incrementally according to variousfunctions, preferably by changing the value gradually. In oneembodiment, a linearly decreasing function is used to adjust theweights; according to another embodiment, an exponential decay functionis used. Gradually changing the weights helps to damp oscillators thatmight otherwise occur if the probabilities were abruptly.

[0239] Although not explicitly shown in FIG. 22A the process can beperformed only periodically (e.g., according to a time schedule), or itcan be continuously run, such as in a background mode of operation. Inone embodiment, the combined weights of all potential paths should addup to unity (e.g., when the weighting for one path is decreased, thecorresponding weights that the other paths will be selected willincrease).

[0240] Adjustments to weight values for other paths can be prorated. Forexample, a decrease of 10% in weight value for one path could result inan evenly distributed increase in the weights for the remaining paths.Alternatively, weightings could be adjusted according to a weightedformula as desired (e.g., favoring healthy paths over less healthypaths). In yet another variation, the difference in weight value can beamortized over the remaining links in a manner that is proportional totheir traffic weighting.

[0241]FIG. 22B shows steps that can be executed to shut downtransmission links where a transmitter turns off. In step 2210, atransmitter shut-down event occurs. In step 2211, a test is made todetermine whether at least one transmitter is still turned on. If not,then in step 2215 all packets are dropped until a transmitter turns on.If in step 2211 at least one transmitter is turned on, then in step 2212the weight for the path is set to zero, and the weights for theremaining paths are adjusted accordingly.

[0242]FIG. 23 shows a computer node 2301 employing various principles ofthe above-described embodiments. It is assumed that two computer nodesof the type shown in FIG. 23 communicate over a plurality of separatephysical transmission paths. As shown in FIG. 23, four transmissionpaths X1 through X4 are defined for communicating between the two nodes.Each node includes a packet transmitter 2302 that operates in accordancewith a transmit table 2308 as described above. (The packet transmittercould also operate without using the IP-hopping features describedabove, but the following description assumes that some form of hoppingis employed in conjunction with the path selection mechanism.). Thecomputer node also includes a packet receiver 2303 that operates inaccordance with a receive table 2309, including a moving window W thatmoves as valid packets are received. Invalid packets having source anddestination addresses that do not fall within window W are rejected.

[0243] As each packet is readied for transmission, source anddestination IP addresses (or other discriminator values) are selectedfrom transmit table 2308 according to any of the various algorithmsdescribed above, and packets containing these source/destination addresspairs, which correspond to the node to which the four transmission pathsare linked, are generated to a transmission path switch 2307. Switch2307, which can comprise a software function, selects from one of theavailable transmission paths according to a weight distribution table2306. For example, if the weight for path X1 is 0.2, then every fifthpacket will be transmitted on path X1. A similar regime holds true forthe other paths as shown. Initially, each link's weight value can be setsuch that it is proportional to its bandwidth, which will be referred toas its “steady-state” value.

[0244] Packet receiver 2303 generates an output to a link qualitymeasurement function 2304 that operates as described above to determinethe quality of each transmission path. (The input to packet receiver2303 for receiving incoming packets is omitted for clarity). Linkquality measurement function 2304 compares the link quality to athreshold for each transmission link and, if necessary, generates anoutput to weight adjustment function 2305. If a weight adjustment isrequired, then the weights in table 2306 are adjusted accordingly,preferably according to a gradual (e.g., linearly or exponentiallydeclining) function. In one embodiment, the weight values for allavailable paths are initially set to the same value, and only when pathsdegrade in quality are the weights changed to reflect differences.

[0245] Link quality measurement function 2304 can be made to operate aspart of a synchronizer function as described above. That is, ifresynchronization occurs and the receiver detects that synchronizationhas been lost (e.g., resulting in the synchronization window W beingadvanced out of sequence), that fact can be used to drive link qualitymeasurement function 2304. According to one embodiment, load balancingis performed using information garnered during the normalsynchronization, augmented slightly to communicate link health from thereceiver to the transmitter. The receiver maintains a count, MESS_R(W),of the messages received in synchronization window W. When it receives asynchronization request (SYNC_REQ) corresponding to the end of window W,the receiver includes counter MESS_R in the resulting synchronizationacknowledgement (SYNC_ACK) sent back to the transmitter. This allows thetransmitter to compare messages sent to messages received in order toasses the health of the link.

[0246] If synchronization is completely lost, weight adjustment function2305 decreases the weight value on the affected path to zero. Whensynchronization is regained, the weight value for the affected path isgradually increased to its original value. Alternatively, link qualitycan be measured by evaluating the length of time required for thereceiver to acknowledge a synchronization request. In one embodiment,separate transmit and receive tables are used for each transmissionpath.

[0247] When the transmitter receives a SYNC_ACK, the MESS_R is comparedwith the number of messages transmitted in a window (MESS_T). When thetransmitter receives a SYNC_ACK, the traffic probabilities will beexamined and adjusted if necessary. MESS_R is compared with the numberof messages transmitted in a window (MESS_T). There are twopossibilities:

[0248] 1. If MESS_R is less than a threshold value, THRESH, then thelink will be deemed to be unhealthy. If the transmitter was turned off,the transmitter is turned on and the weight P for that link will be setto a minimum value MIN. This will keep a trickle of traffic on the linkfor monitoring purposes until it recovers. If the transmitter was turnedon, the weight P for that link will be set to:

P′=α×MIN+(1−α(× P  (1)

[0249] Equation 1 will exponentially damp the traffic weight value toMIN during sustained periods of degraded service.

[0250] 2. If MESS_R for a link is greater than or equal to THRESH, thelink will be deemed healthy. If the weight P for that link is greaterthan or equal to the steady state value S for that link, then P is leftunaltered. If the weight P for that link is less than THRESH then P willbe set to:

P′=β×S+(1−β)×P  (2)

[0251] where β is a parameter such that 0<=β=1 that determines thedamping rate of P.

[0252] Equation 2 will increase the traffic weight to S during sustainedperiods of acceptable service in a damped exponential fashion.

[0253] A detailed example will now be provided with reference to FIG.24. As shown in FIG. 24, a first computer 2401 communicates with asecond computer 2402 through two routers 2403 and 2404. Each router iscoupled to the other router through three transmission links. Asdescribed above, these may be physically diverse links or logical links(including virtual private networks).

[0254] Suppose that a first link L1 can sustain a transmission bandwidthof 100 Mb/s and has a window size of 32; link L2 can sustain 75 Mb/s andhas a window size of 24; and link L3 can sustain 25 Mb/s and has awindow size of 8. The combined links can thus sustain 200 Mb/s. Thesteady state traffic weights are 0.5 for link L1; 0.375 for link L2, and0.125 for link L3. MIN=1 Mb/s, THRESH=0.8 MESS_T for each link, α=0.75and β=0.5. These traffic weights will remain stable until a link stopsfor synchronization or reports a number of packets received less thanits THRESH. Consider the following sequence of events:

[0255] 1. Link L1 receives a SYNC_ACK containing a MESS_R of 24,indicating that only 75% of the MESS_T (32) messages transmitted in thelast window were successfully received. Link 1 would be below THRESH(0.8). Consequently, link L1's traffic weight value would be reduced to0.12825, while link L2's traffic weight value would be increased to0.65812 and link L3's traffic weight value would be increased to0.217938.

[0256] 2. Link L2 and L3 remained healthy and link L1 stopped tosynchronize. Then link L1 's traffic weight value would be set to 0,link L2's traffic weight value would be set to 0.75, and link L33'straffic weight value would be set to 0.25.

[0257] 3. Link L1 finally received a SYNC_ACK containing a MESS_R of 0indicating that none of the MESS_T (32) messages transmitted in the lastwindow were successfully received. Link L1 would be below THRESH. LinkL1's traffic weight value would be increased to 0.005, link L2's trafficweight value would be decreased to 0.74625, and link L3's traffic weightvalue would be decreased to 0.24875.

[0258] 4. Link L1 received a SYNC_ACK containing a MESS_R of 32indicating that 100% of the MESS_T (32) messages transmitted in the lastwindow were successfully received. Link L1 would be above THRESH. LinkL1's traffic weight value would be increased to 0.2525, while link L2'straffic weight value would be decreased to 0.560625 and link L3'straffic weight value would be decreased to 0.186875.

[0259] 5. Link L1 received a SYNC_ACK containing a MESS_R of 32indicating that 100% of the MESS_T (32) messages transmitted in the lastwindow were successfully received. Link L1 would be above THRESH. LinkL1's traffic weight value would be increased to 0.37625; link L2'straffic weight value would be decreased to 0.4678125, and link L3'straffic weight value would be decreased to 0.1559375.

[0260] 6. Link L1 remains healthy and the traffic probabilities approachtheir steady state traffic probabilities.

B. Use of a DNS Proxy to Transparently Create Virtual Private Networks

[0261] A second improvement concerns the automatic creation of a virtualprivate network (VPN) in response to a domain-name server look-upfunction.

[0262] Conventional Domain Name Servers (DNSs) provide a look-upfunction that returns the IP address of a requested computer or host.For example, when a computer user types in the web name “Yahoo.com,” theuser's web browser transmits a request to a DNS, which converts the nameinto a four-part IP address that is returned to the user's browser andthen used by the browser to contact the destination web site.

[0263] This conventional scheme is shown in FIG. 25. A user's computer2501 includes a client application 2504 (for example, a web browser) andan IP protocol stack 2505. When the user enters the name of adestination host, a request DNS REQ is made (through IP protocol stack2505) to a DNS 2502 to look up the IP address associated with the name.The DNS returns the IP address DNS RESP to client application 2504,which is then able to use the IP address to communicate with the host2503 through separate transactions such as PAGE REQ and PAGE RESP.

[0264] In the conventional architecture shown in FIG. 25, nefariouslisteners on the Internet could intercept the DNS REQ and DNS RESPpackets and thus learn what IP addresses the user was contacting. Forexample, if a user wanted to set up a secure communication path with aweb site having the name “Target.com,” when the user's browser contacteda DNS to find the IP address for that web site, the true IP address ofthat web site would be revealed over the Internet as part of the DNSinquiry. This would hamper anonymous communications on the Internet.

[0265] One conventional scheme that provides secure virtual privatenetworks over the Internet provides the DNS server with the public keysof the machines that the DNS server has the addresses for. This allowshosts to retrieve automatically the public keys of a host that the hostis to communicate with so that the host can set up a VPN without havingthe user enter the public key of the destination host. Oneimplementation of this standard is presently being developed as part ofthe FreeS/WAN project(RFC 2535).

[0266] The conventional scheme suffers from certain drawbacks. Forexample, any user can perform a DNS request. Moreover, DNS requestsresolve to the same value for all users.

[0267] According to certain aspects of the invention, a specialized DNSserver traps DNS requests and, if the request is from a special type ofuser (e.g., one for which secure communication services are defined),the server does not return the true IP address of the target node, butinstead automatically sets up a virtual private network between thetarget node and the user. The VPN is preferably implemented using the IPaddress “hopping” features of the basic invention described above, suchthat the true identity of the two nodes cannot be determined even ifpackets during the communication are intercepted. For DNS requests thatare determined to not require secure services (e.g., an unregistereduser), the DNS server transparently “passes through” the request toprovide a normal look-up function and return the IP address of thetarget web server, provided that the requesting host has permissions toresolve unsecured sites. Different users who make an identical DNSrequest could be provided with different results.

[0268]FIG. 26 shows a system employing various principles summarizedabove. A user's computer 2601 includes a conventional client (e.g., aweb browser) 2605 and an IP protocol stack 2606 that preferably operatesin accordance with an IP hopping function 2607 as outlined above. Amodified DNS server 2602 includes a conventional DNS server function2609 and a DNS proxy 2610. A gatekeeper server 2603 is interposedbetween the modified DNS server and a secure target site 2704. An“unsecure” target site 2611 is also accessible via conventional IPprotocols.

[0269] According to one embodiment, DNS proxy 2610 intercepts all DNSlookup functions from client 2605 and determines whether access to asecure site has been requested. If access to a secure site has beenrequested (as determined, for example, by a domain name extension, or byreference to an internal table of such sites), DNS proxy 2610 determineswhether the user has sufficient security privileges to access the site.If so, DNS proxy 2610 transmits a message to gatekeeper 2603 requestingthat a virtual private network be created between user computer 2601 andsecure target site 2604. In one embodiment, gatekeeper 2603 creates“hopblocks” to be used by computer 2601 and secure target site 2604 forsecure communication. Then, gatekeeper 2603 communicates these to usercomputer 2601. Thereafter, DNS proxy 2610 returns to user computer 2601the resolved address passed to it by the gatekeeper (this address couldbe different from the actual target computer) 2604, preferably using asecure administrative VPN. The address that is returned need not be theactual address of the destination computer.

[0270] Had the user requested lookup of a non-secure web site such assite 2611, DNS proxy would merely pass through to conventional DNSserver 2609 the look-up request, which would be handled in aconventional manner, returning the IP address of non-secure web site2611. If the user had requested lookup of a secure web site but lackedcredentials to create such a connection, DNS proxy 2610 would return a“host unknown” error to the user. In this manner, different usersrequesting access to the same DNS name could be provided with differentlook-up results.

[0271] Gatekeeper 2603 can be implemented on a separate computer (asshown in FIG. 26) or as a function within modified DNS server 2602. Ingeneral, it is anticipated that gatekeeper 2703 facilitates theallocation and exchange of information needed to communicate securely,such as using “hopped” IP addresses. Secure hosts such as site 2604 areassumed to be equipped with a secure communication function such as anIP hopping function 2608.

[0272] It will be appreciated that the functions of DNS proxy 2610 andDNS server 2609 can be combined into a single server for convenience.Moreover, although element 2602 is shown as combining the functions oftwo servers, the two servers can be made to operate independently.

[0273]FIG. 27 shows steps that can be executed by DNS proxy server 2610to handle requests for DNS look-up for secure hosts. In step 2701, a DNSlook-up request is received for a target host. In step 2702, a check ismade to determine whether access to a secure host was requested. If not,then in step 2703 the DNS request is passed to conventional DNS server2609, which looks up the IP address of the target site and returns it tothe user's application for further processing.

[0274] In step 2702, if access to a secure host was requested, then instep 2704 a further check is made to determine whether the user isauthorized to connect to the secure host. Such a check can be made withreference to an internally stored list of authorized IP addresses, orcan be made by communicating with gatekeeper 2603 (e.g., over an“administrative” VPN that is secure). It will be appreciated thatdifferent levels of security can also be provided for differentcategories of hosts. For example, some sites may be designated as havinga certain security level, and the security level of the user requestingaccess must match that security level. The user's security level canalso be determined by transmitting a request message back to the user'scomputer requiring that it prove that it has sufficient privileges.

[0275] If the user is not authorized to access the secure site, then a“host unknown” message is returned (step 2705). If the user hassufficient security privileges, then in step 2706 a secure VPN isestablished between the user's computer and the secure target site. Asdescribed above, this is preferably done by allocating a hopping regimethat will be carried out between the user's computer and the securetarget site, and is preferably performed transparently to the user(i.e., the user need not be involved in creating the secure link). Asdescribed in various embodiments of this application, any of variousfields can be “hopped” (e.g., IP source/destination addresses; a fieldin the header; etc.) in order to communicate securely.

[0276] Some or all of the security functions can be embedded ingatekeeper 2603, such that it handles all requests to connect to securesites. In this embodiment, DNS proxy 2610 communicates with gatekeeper2603 to determine (preferably over a secure administrative VPN) whetherthe user has access to a particular web site. Various scenarios forimplementing these features are described by way of example below:

[0277] Scenario #1: Client has permission to access target computer, andgatekeeper has a rule to make a VPN for the client. In this scenario,the client's DNS request would be received by the DNS proxy server 2610,which would forward the request to gatekeeper 2603. The gatekeeper wouldestablish a VPN between the client and the requested target. Thegatekeeper would provide the address of the destination to the DNSproxy, which would then return the resolved name as a result. Theresolved address can be transmitted back to the client in a secureadministrative VPN.

[0278] Scenario #2: Client does not have permission to access targetcomputer. In this scenario, the client's DNS request would be receivedby the DNS proxy server 2610, which would forward the request togatekeeper 2603. The gatekeeper would reject the request, informing DNSproxy server 2610 that it was unable to find the target computer. TheDNS proxy 2610 would then return a “host unknown” error message to theclient.

[0279] Scenario #3: Client has permission to connect using a normalnon-VPN link, and the gatekeeper does not have a rule to set up a VPNfor the client to the target site. In this scenario, the client's DNSrequest is received by DNS proxy server 2610, which would check itsrules and determine that no VPN is needed. Gatekeeper 2603 would theninform the DNS proxy server to forward the request to conventional DNSserver 2609, which would resolve the request and return the result tothe DNS proxy server and then back to the client.

[0280] Scenario #4: Client does not have permission to establish anormal/non-VPN link, and the gatekeeper does not have a rule to make aVPN for the client to the target site. In this scenario, the DNS proxyserver would receive the client's DNS request and forward it togatekeeper 2603. Gatekeeper 2603 would determine that no special VPN wasneeded, but that the client is not authorized to communicate withnon-VPN members. The gatekeeper would reject the request, causing DNSproxy server 2610 to return an error message to the client.

C. Large Link to Small Link Bandwidth Management

[0281] One feature of the basic architecture is the ability to preventso-called “denial of service” attacks that can occur if a computerhacker floods a known Internet node with packets, thus preventing thenode from communicating with other nodes. Because IP addresses or otherfields are “hopped” and packets arriving with invalid addresses arequickly discarded, Internet nodes are protected against floodingtargeted at a single IP address.

[0282] In a system in which a computer is coupled through a link havinga limited bandwidth (e.g., an edge router) to a node that can support amuch higher-bandwidth link (e.g., an Internet Service Provider), apotential weakness could be exploited by a determined hacker. Referringto FIG. 28, suppose that a first host computer 2801 is communicatingwith a second host computer 2804 using the IP address hopping principlesdescribed above. The first host computer is coupled through an edgerouter 2802 to an Internet Service Provider (ISP) 2803 through a lowbandwidth link (LOW BW), and is in turn coupled to second host computer2804 through parts of the Internet through a high bandwidth link (HIGHBW). In this architecture, the ISP is able to support a high bandwidthto the internet, but a much lower bandwidth to the edge router 2802.

[0283] Suppose that a computer hacker is able to transmit a largequantity of dummy packets addressed to first host computer 2801 acrosshigh bandwidth link HIGH BW. Normally, host computer 2801 would be ableto quickly reject the packets since they would not fall within theacceptance window permitted by the IP address hopping scheme. However,because the packets must travel across low bandwidth link LOW BW, thepackets overwhelm the lower bandwidth link before they are received byhost computer 2801. Consequently, the link to host computer 2801 iseffectively flooded before the packets can be discarded.

[0284] According to one inventive improvement, a “link guard” function2805 is inserted into the high-bandwidth node (e.g., ISP 2803) thatquickly discards packets destined for a low-bandwidth target node ifthey are not valid packets. Each packet destined for a low-bandwidthnode is cryptographically authenticated to determine whether it belongsto a VPN. If it is not a valid VPN packet, the packet is discarded atthe high-bandwidth node. If the packet is authenticated as belonging toa VPN, the packet is passed with high preference. If the packet is avalid non-VPN packet, it is passed with a lower quality of service(e.g., lower priority).

[0285] In one embodiment, the ISP distinguishes between VPN and non-VPNpackets using the protocol of the packet. In the case of IPSEC [rfc2401], the packets have IP protocols 420 and 421. In the case of theTARP VPN, the packets will have an IP protocol that is not yet defined.The ISP's link guard, 2805, maintains a table of valid VPNs which ituses to validate whether VPN packets are cryptographically valid.According to one embodiment, packets that do not fall within any hopwindows used by nodes on the low-bandwidth link are rejected, or aresent with a lower quality of service. One approach for doing this is toprovide a copy of the IP hopping tables used by the low-bandwidth nodesto the high-bandwidth node, such that both the high-bandwidth andlow-bandwidth nodes track hopped packets (e.g., the high-bandwidth nodemoves its hopping window as valid packets are received). In such ascenario, the high-bandwidth node discards packets that do not fallwithin the hopping window before they are transmitted over thelow-bandwidth link. Thus, for example, ISP 2903 maintains a copy 2910 ofthe receive table used by host computer 2901. Incoming packets that donot fall within this receive table are discarded. According to adifferent embodiment, link guard 2805 validates each VPN packet using akeyed hashed message authentication code (HMAC) [rfc 2104].

[0286] According to another embodiment, separate VPNs (using, forexample, hopblocks) can be established for communicating between thelow-bandwidth node and the high-bandwidth node (i.e., packets arrivingat the high-bandwidth node are converted into different packets beforebeing transmitted to the low-bandwidth node).

[0287] As shown in FIG. 29, for example, suppose that a first hostcomputer 2900 is communicating with a second host computer 2902 over theInternet, and the path includes a high bandwidth link HIGH BW to an ISP2901 and a low bandwidth link LOW BW through an edge router 2904. Inaccordance with the basic architecture described above, first hostcomputer 2900 and second host computer 2902 would exchange hopblocks (ora hopblock algorithm) and would be able to create matching transmit andreceive tables 2905, 2906, 2912 and 2913. Then in accordance with thebasic architecture, the two computers would transmit packets havingseemingly random IP source and destination addresses, and each wouldmove a corresponding hopping window in its receive table as validpackets were received.

[0288] Suppose that a nefarious computer hacker 2903 was able to deducethat packets having a certain range of IP addresses (e.g., addresses 100to 200 for the sake of simplicity) are being transmitted to ISP 2901,and that these packets are being forwarded over a low-bandwidth link.Hacker computer 2903 could thus “flood” packets having addresses fallinginto the range 100 to 200, expecting that they would be forwarded alonglow bandwidth link LOW BW, thus causing the low bandwidth link to becomeoverwhelmed. The fast packet reject mechanism in first host computer3000 would be of little use in rejecting these packets, since the lowbandwidth link was effectively jammed before the packets could berejected. In accordance with one aspect of the improvement, however, VPNlink guard 2911 would prevent the attack from impacting the performanceof VPN traffic because the packets would either be rejected as invalidVPN packets or given a lower quality of service than VPN traffic overthe lower bandwidth link. A denial-of-service flood attack could,however, still disrupt non-VPN traffic.

[0289] According to one embodiment of the improvement, ISP 2901maintains a separate VPN with first host computer 2900, and thustranslates packets arriving at the ISP into packets having a differentIP header before they are transmitted to host computer 2900. Thecryptographic keys used to authenticate VPN packets at the link guard2911 and the cryptographic keys used to encrypt and decrypt the VPNpackets at host 2902 and host 2901 can be different, so that link guard2911 does not have access to the private host data; it only has thecapability to authenticate those packets.

[0290] According to yet a third embodiment, the low-bandwidth node cantransmit a special message to the high-bandwidth node instructing it toshut down all transmissions on a particular IP address, such that onlyhopped packets will pass through to the low-bandwidth node. Thisembodiment would prevent a hacker from flooding packets using a singleIP address. According to yet a fourth embodiment, the high-bandwidthnode can be configured to discard packets transmitted to thelow-bandwidth node if the transmission rate exceeds a certainpredetermined threshold for any given IP address; this would allowhopped packets to go through. In this respect, link guard 2911 can beused to detect that the rate of packets on a given IP address areexceeding a threshold rate; further packets addressed to that same IPaddress would be dropped or transmitted at a lower priority (e.g.,delayed).

D. Traffic Limiter

[0291] In a system in which multiple nodes are communicating using“hopping” technology, a treasonous insider could internally flood thesystem with packets. In order to prevent this possibility, one inventiveimprovement involves setting up “contracts” between nodes in the system,such that a receiver can impose a bandwidth limitation on each packetsender. One technique for doing this is to delay acceptance of acheckpoint synchronization request from a sender until a certain timeperiod (e.g., one minute) has elapsed. Each receiver can effectivelycontrol the rate at which its hopping window moves by delaying “SYNCACK” responses to “SYNC_REQ” messages.

[0292] A simple modification to the checkpoint synchronizer will serveto protect a receiver from accidental or deliberate overload from aninternally treasonous client. This modification is based on theobservation that a receiver will not update its tables until a SYNC_REQis received on hopped address CKPT_N. It is a simple matter of deferringthe generation of a new CKPT_N until an appropriate interval afterprevious checkpoints.

[0293] Suppose a receiver wished to restrict reception from atransmitter to 100 packets a second, and that checkpoint synchronizationmessages were triggered every 50 packets. A compliant transmitter wouldnot issue new SYNC_REQ messages more often than every 0.5 seconds. Thereceiver could delay a non-compliant transmitter from synchronizing bydelaying the issuance of CKPT_N for 0.5 second after the last SYNC_REQwas accepted.

[0294] In general, if M receivers need to restrict N transmittersissuing new SYNC_REQ messages after every W messages to sending Rmessages a second in aggregate, each receiver could defer issuing a newCKPT_N until M×N×W/R seconds have elapsed since the last SYNC_REQ hasbeen received and accepted. If the transmitter exceeds this rate betweena pair of checkpoints, it will issue the new checkpoint before thereceiver is ready to receive it, and the SYNC_REQ will be discarded bythe receiver. After this, the transmitter will re-issue the SYNC_REQevery Ti seconds until it receives a SYNC_ACK. The receiver willeventually update CKPT_N and the SYNC_REQ will be acknowledged. If thetransmission rate greatly exceeds the allowed rate, the transmitter willstop until it is compliant. If the transmitter exceeds the allowed rateby a little, it will eventually stop after several rounds of delayedsynchronization until it is in compliance. Hacking the transmitter'scode to not shut off only permits the transmitter to lose the acceptancewindow. In this case it can recover the window and proceed only after itis compliant again.

[0295] Two practical issues should be considered when implementing theabove scheme:

[0296] 1. The receiver rate should be slightly higher than the permittedrate in order to allow for statistical fluctuations in traffic arrivaltimes and non-uniform load balancing.

[0297] 2. Since a transmitter will rightfully continue to transmit for aperiod after a SYNC_REQ is transmitted, the algorithm above canartificially reduce the transmitter's bandwidth. If events prevent acompliant transmitter from synchronizing for a period (e.g. the networkdropping a SYNC_REQ or a SYNC_ACK) a SYNC_REQ will be accepted laterthan expected. After this, the transmitter will transmit fewer thanexpected messages before encountering the next checkpoint. The newcheckpoint will not have been activated and the transmitter will have toretransmit the SYNC_REQ. This will appear to the receiver as if thetransmitter is not compliant. Therefore, the next checkpoint will beaccepted late from the transmitter's perspective. This has the effect ofreducing the transmitter's allowed packet rate until the transmittertransmits at a packet rate below the agreed upon rate for a period oftime.

[0298] To guard against this, the receiver should keep track of thetimes that the last C SYNC_REQs were received and accepted and use theminimum of M×N×W/R seconds after the last SYNC_REQ has been received andaccepted, 2×M×N×W/R seconds after next to the last SYNC_REQ has beenreceived and accepted, C×M×N×W/R seconds after (C−1)^(th) to the lastSYNC_REQ has been received, as the time to activate CKPT_N. Thisprevents the receiver from inappropriately limiting the transmitter'spacket rate if at least one out of the last C SYNC_REQs was processed onthe first attempt.

[0299]FIG. 30 shows a system employing the above-described principles.In FIG. 30, two computers 3000 and 3001 are assumed to be communicatingover a network N in accordance with the “hopping” principles describedabove (e.g., hopped IP addresses, discriminator values, etc.). For thesake of simplicity, computer 3000 will be referred to as the receivingcomputer and computer 3001 will be referred to as the transmittingcomputer, although full duplex operation is of course contemplated.Moreover, although only a single transmitter is shown, multipletransmitters can transmit to receiver 3000.

[0300] As described above, receiving computer 3000 maintains a receivetable 3002 including a window W that defines valid IP address pairs thatwill be accepted when appearing in incoming data packets. Transmittingcomputer 3001 maintains a transmit table 3003 from which the next IPaddress pairs will be selected when transmitting a packet to receivingcomputer 3000. (For the sake of illustration, window W is alsoillustrated with reference to transmit table 3003). As transmittingcomputer moves through its table, it will eventually generate a SYNC_REQmessage as illustrated in function 3010. This is a request to receiver3000 to synchronize the receive table 3002, from which transmitter 3001expects a response in the form of a CKPT_N (included as part of aSYNC_ACK message). If transmitting computer 3001 transmits more messagesthan its allotment, it will prematurely generate the SYNC_REQ message.(If it has been altered to remove the SYNC_REQ message generationaltogether, it will fall out of synchronization since receiver 3000 willquickly reject packets that fall outside of window W, and the extrapackets generated by transmitter 3001 will be discarded).

[0301] In accordance with the improvements described above, receivingcomputer 3000 performs certain steps when a SYNC_REQ message isreceived, as illustrated in FIG. 30. In step 3004, receiving computer3000 receives the SYNC_REQ message. In step 3005, a check is made todetermine whether the request is a duplicate. If so, it is discarded instep 3006. In step 3007, a check is made to determine whether theSYNC_REQ received from transmitter 3001 was received at a rate thatexceeds the allowable rate R (i.e., the period between the time of thelast SYNC_REQ message). The value R can be a constant, or it can be madeto fluctuate as desired. If the rate exceeds R, then in step 3008 thenext activation of the next CKPT_N hopping table entry is delayed by W/Rseconds after the last SYNC_REQ has been accepted.

[0302] Otherwise, if the rate has not been exceeded, then in step 3109the next CKPT_N value is calculated and inserted into the receiver'shopping table prior to the next SYNC_REQ from thetransmitter 3101.Transmitter 3101 then processes the SYNC_REQ in the normal manner.

E. Signaling Synchronizer

[0303] In a system in which a large number of users communicate with acentral node using secure hopping technology, a large amount of memorymust be set aside for hopping tables and their supporting datastructures. For example, if one million subscribers to a web siteoccasionally communicate with the web site, the site must maintain onemillion hopping tables, thus using up valuable computer resources, eventhough only a small percentage of the users may actually be using thesystem at any one time. A desirable solution would be a system thatpermits a certain maximum number of simultaneous links to be maintained,but which would “recognize” millions of registered users at any onetime. In other words, out of a population of a million registered users,a few thousand at a time could simultaneously communicate with a centralserver, without requiring that the server maintain one million hoppingtables of appreciable size.

[0304] One solution is to partition the central node into two nodes: asignaling server that performs session initiation for user log-on andlog-off (and requires only minimally sized tables), and a transportserver that contains larger hopping tables for the users. The signalingserver listens for the millions of known users and performs afast-packet reject of other (bogus) packets. When a packet is receivedfrom a known user, the signaling server activates a virtual private link(VPL) between the user and the transport server, where hopping tablesare allocated and maintained. When the user logs onto the signalingserver, the user's computer is provided with hop tables forcommunicating with the transport server, thus activating the VPL. TheVPLs can be torn down when they become inactive for a time period, orthey can be torn down upon user log-out. Communication with thesignaling server to allow user log-on and log-off can be accomplishedusing a specialized version of the checkpoint scheme described above.

[0305]FIG. 31 shows a system employing certain of the above-describedprinciples. In FIG. 31, a signaling server 3101 and a transport server3102 communicate over a link. Signaling server 3101 contains a largenumber of small tables 3106 and 3107 that contain enough information toauthenticate a communication request with one or more clients 3103 and3104. As described in more detail below, these small tables mayadvantageously be constructed as a special case of the synchronizingcheckpoint tables described previously. Transport server 3102, which ispreferably a separate computer in communication with signaling server3101, contains a smaller number of larger hopping tables 3108, 3109, and3110 that can be allocated to create a VPN with one of the clientcomputers.

[0306] According to one embodiment, a client that has previouslyregistered with the system (e.g., via a system administration function,a user registration procedure, or some other method) transmits a requestfor information from a computer (e.g., a web site). In one variation,the request is made using a “hopped” packet, such that signaling server3101 will quickly reject invalid packets from unauthorized computerssuch as hacker computer 3105. An “administrative” VPN can be establishedbetween all of the clients and the signaling server in order to ensurethat a hacker cannot flood signaling server 3101 with bogus packets.Details of this scheme are provided below.

[0307] Signaling server 3101 receives the request 3111 and uses it todetermine that client 3103 is a validly registered user. Next, signalingserver 3101 issues a request to transport server 3102 to allocate ahopping table (or hopping algorithm or other regime) for the purpose ofcreating a VPN with client 3103. The allocated hopping parameters arereturned to signaling server 3101 (path 3113), which then supplies thehopping parameters to client 3103 via path 3114, preferably in encryptedform.

[0308] Thereafter, client 3103 communicates with transport server 3102using the normal hopping techniques described above. It will beappreciated that although signaling server 3101 and transport server3102 are illustrated as being two separate computers, they could ofcourse be combined into a single computer and their functions performedon the single computer. Alternatively, it is possible to partition thefunctions shown in FIG. 31 differently from as shown without departingfrom the inventive principles.

[0309] One advantage of the above-described architecture is thatsignaling server 3101 need only maintain a small amount of informationon a large number of potential users, yet it retains the capability ofquickly rejecting packets from unauthorized users such as hackercomputer 3105. Larger data tables needed to perform the hopping andsynchronization functions are instead maintained in a transport server3102, and a smaller number of these tables are needed since they areonly allocated for “active” links. After a VPN has become inactive for acertain time period (e.g., one hour), the VPN can be automatically torndown by transport server 3102 or signaling server 3101.

[0310] A more detailed description will now be provided regarding how aspecial case of the checkpoint synchronization feature can be used toimplement the signaling scheme described above.

[0311] The signaling synchronizer may be required to support many(millions) of standing, low bandwidth connections. It therefore shouldminimize per-VPL memory usage while providing the security offered byhopping technology. In order to reduce memory usage in the signalingserver, the data hopping tables can be completely eliminated and datacan be carried as part of the SYNC_REQ message. The table used by theserver side (receiver) and client side (transmitter) is shownschematically as element 3106 in FIG. 31.

[0312] The meaning and behaviors of CKPT_N, CKPT_O and CKPT_R remain thesame from the previous description, except that CKPT_N can receive acombined data and SYNC_REQ message or a SYNC_REQ message without thedata.

[0313] The protocol is a straightforward extension of the earliersynchronizer. Assume that a client transmitter is on and the tables aresynchronized. The initial tables can be generated “out of band.” Forexample, a client can log into a web server to establish an account overthe Internet. The client will receive keys etc encrypted over theInternet. Meanwhile, the server will set up the signaling VPN on thesignaling server.

[0314] Assuming that a client application wishes to send a packet to theserver on the client's standing signaling VPL:

[0315] 1. The client sends the message marked as a data message on theinner header using the transmitter's CKPT_N address. It turns thetransmitter off and starts a timer T1 noting CKPT_O. Messages can be oneof three types: DATA, SYNC_REQ and SYNC_ACK. In the normal algorithm,some potential problems can be prevented by identifying each messagetype as part of the encrypted inner header field. In this algorithm, itis important to distinguish a data packet and a SYNC_REQ in thesignaling synchronizer since the data and the SYNC_REQ come in on thesame address.

[0316] 2. When the server receives a data message on its CKPT_N itverifies the message and passes it up the stack. The message can beverified by checking message type and and other information (i.e., usercredentials) contained in the inner header It replaces its CKPT_O withCKPT_N and generates the next CKPT_N. It updates its transmitter sideCKPT_R to correspond to the client's receiver side CKPT_R and transmitsa SYNC_ACK containing CKPT_O in its payload.

[0317] 3. When the client side receiver receives a SYNC_ACK on itsCKPT_R with a payload matching its transmitter side CKPT_O and thetransmitter is off, the transmitter is turned on and the receiver sideCKPT_R is updated. If the SYNC_ACK's payload does not match thetransmitter side CKPT_O or the transmitter is on, the SYNC_ACK is simplydiscarded.

[0318] 4. T1 expires: If the transmitter is off and the client'stransmitter side CKPT_O matches the CKPT_O associated with the timer, itstarts timer Ti noting CKPT_O again, and a SYNC_REQ is sent using thetransmitter's CKPT_O address. Otherwise, no action is taken.

[0319] 5. When the server receives a SYNC_REQ on its CKPT N, it replacesits CKPT_O with CKPT_N and generates the next CKPT_N. It updates itstransmitter side CKPT_R to correspond to the client's receiver sideCKPT_R and transmits a SYNC_ACK containing CKPT_O in its payload.

[0320] 6. When the server receives a SYNC_REQ on its CKPT_O, it updatesits transmitter side CKPT_R to correspond to the client's receiver sideCKPT_R and transmits a SYNC_ACK containing CKPT_O in its payload.

[0321]FIG. 32 shows message flows to highlight the protocol. Readingfrom top to bottom, the client sends data to the server using itstransmitter side CKPT_N. The client side transmitter is turned off and aretry timer is turned off. The transmitter will not transmit messages aslong as the transmitter is turned off. The client side transmitter thenloads CKPT_N into CKPT_O and updates CKPT_N. This message issuccessfully received and a passed up the stack. It also synchronizesthe receiver i.e., the server loads CKPT_N into CKPT_O and generates anew CKPT_N, it generates a new CKPT_R in the server side transmitter andtransmits a SYNC_ACK containing the server side receiver's CKPT_O theserver. The SYNC_ACK is successfully received at the client. The clientside receiver's CKPT_R is updated, the transmitter is turned on and theretry timer is killed. The client side transmitter is ready to transmita new data message.

[0322] Next, the client sends data to the server using its transmitterside CKPT_N. The client side transmitter is turned off and a retry timeris turned off. The transmitter will not transmit messages as long as thetransmitter is turned off. The client side transmitter then loads CKPT_Ninto CKPT_O and updates CKPT_N. This message is lost. The client sidetimer expires and as a result a SYNC_REQ is transmitted on the clientside transmitter's CKPT_O (this will keep happening until the SYNC_ACKhas been received at the client). The SYNC_REQ is successfully receivedat the server. It synchronizes the receiver i.e., the server loadsCKPT_N into CKPT_O and generates a new CKPT_N, it generates an newCKPT_R in the server side transmitter and transmits a SYNC_ACKcontaining the server side receiver's CKPT_O the server. The SYNC_ACK issuccessfully received at the client. The client side receiver's CKPT_Ris updated, the transmitter is turned off and the retry timer is killed.The client side transmitter is ready to transmit a new data message.

[0323] There are numerous other scenarios that follow this flow. Forexample, the SYNC_ACK could be lost. The transmitter would continue tore-send the SYNC_REQ until the receiver synchronizes and responds.

[0324] The above-described procedures allow a client to be authenticatedat signaling server 3201 while maintaining the ability of signalingserver 3201 to quickly reject invalid packets, such as might begenerated by hacker computer 3205. In various embodiments, the signalingsynchronizer is really a derivative of the synchronizer. It provides thesame protection as the hopping protocol, and it does so for a largenumber of low bandwidth connections.

F. One-Click Secure On-Line Communications and Secure Domain NameService

[0325] The present invention provides a technique for establishing asecure communication link between a first computer and a second computerover a computer network. Preferably, a user enables a securecommunication link using a single click of a mouse, or a correspondingminimal input from another input device, such as a keystroke entered ona keyboard or a click entered through a trackball. Alternatively, thesecure link is automatically established as a default setting at boot-upof the computer (i.e., no click). FIG. 33 shows a system block diagram3300 of a computer network in which the one-click secure communicationmethod of the present invention is suitable. In FIG. 33, a computerterminal or client computer 3301, such as a personal computer (PC), isconnected to a computer network 3302, such as the Internet, through anISP 3303. Alternatively, computer 3301 can be connected to computernetwork 3302 through an edge router. Computer 3301 includes an inputdevice, such as a keyboard and/or mouse, and a display device, such as amonitor. Computer 3301 can communicate conventionally with anothercomputer 3304 connected to computer network 3302 over a communicationlink 3305 using a browser 3306 that is installed and operates oncomputer 3301 in a well-known manner.

[0326] Computer 3304 can be, for example, a server computer that is usedfor conducting e-commerce. In the situation when computer network 3302is the Internet, computer 3304 typically will have a standard top-leveldomain name such as .com, net, org, .edu, mil or .gov.

[0327]FIG. 34 shows a flow diagram 3400 for installing and establishinga “one-click” secure communication link over a computer networkaccording to the present invention. At step 3401, computer 3301 isconnected to server computer 3304 over a non-VPN communication link3305. Web browser 3306 displays a web page associated with server 3304in a well-known manner. According to one variation of the invention, thedisplay of computer 3301 contains a hyperlink, or an icon representing ahyperlink, for selecting a virtual private network (VPN) communicationlink (“go secure” hyperlink) through computer network 3302 betweenterminal 3301 and server 3304. Preferably, the “go secure” hyperlink isdisplayed as part of the web page downloaded from server computer 3304,thereby indicating that the entity providing server 3304 also providesVPN capability.

[0328] By displaying the “go secure” hyperlink, a user at computer 3301is informed that the current communication link between computer 3301and server computer 3304 is a non-secure, non-VPN communication link. Atstep 3402, it is determined whether a user of computer 3301 has selectedthe “go secure” hyperlink. If not, processing resumes using a non-secure(conventional) communication method (not shown). If, at step 3402, it isdetermined that the user has selected the “go secure” hyperlink, flowcontinues to step 3403 where an object associated with the hyperlinkdetermines whether a VPN communication software module has already beeninstalled on computer 3301. Alternatively, a user can enter a commandinto computer 3301 to “go secure.”

[0329] If, at step 3403, the object determines that the software modulehas been installed, flow continues to step 3407. If, at step 3403, theobject determines that the software module has not been installed, flowcontinues to step 3404 where a non-VPN communication link 3307 islaunched between computer 3301 and a website 3308 over computer network3302 in a well-known manner. Website 3308 is accessible by all computerterminals connected to computer network 3302 through a non-VPNcommunication link. Once connected to website 3308, a software modulefor establishing a secure communication link over computer network 3302can be downloaded and installed. Flow continues to step 3405 where,after computer 3301 connects to website 3308, the software module forestablishing a communication link is downloaded and installed in awell-known manner on computer terminal 3301 as software module 3309. Atstep 3405, a user can optionally select parameters for the softwaremodule, such as enabling a secure communication link mode ofcommunication for all communication links over computer network 3302. Atstep 3406, the -communication link between computer 3301 and website3308 is then terminated in a well-known manner.

[0330] By clicking on the “go secure” hyperlink, a user at computer 3301has enabled a secure communication mode of communication betweencomputer 3301 and server computer 3304. According to one variation ofthe invention, the user is not required to do anything more than merelyclick the “go secure” hyperlink. The user does not need to enter anyuser identification information, passwords or encryption keys forestablishing a secure communication link. All procedures required forestablishing a secure communication link between computer 3301 andserver computer 3304 are performed transparently to a user at computer3301.

[0331] At step 3407, a secure VPN communications mode of operation hasbeen enabled and software module 3309 begins to establish a VPNcommunication link. In one embodiment, software module 3309automatically replaces the top-level domain name for server 3304 withinbrowser 3406 with a secure top-level domain name for server computer3304. For example, if the top-level domain name for server 3304 is .com,software module 3309 replaces the .com top-level domain name with a.scom top-level domain name, where the “s” stands for secure.Alternatively, software module 3409 can replace the top-level domainname of server 3304 with any other non-standard top-level domain name.

[0332] Because the secure top-level domain name is a non-standard domainname, a query to a standard domain name service (DNS) will return amessage indicating that the universal resource locator (URL) is unknown.According to the invention, software module 3409 contains the URL forquerying a secure domain name service (SDNS) for obtaining the URL for asecure top-level domain name. In this regard, software module 3309accesses a secure portal 3310 that interfaces a secure network 3311 tocomputer network 3302. Secure network 3311 includes an internal router3312, a secure domain name service (SDNS) 3313, a VPN gatekeeper 3314and a secure proxy 3315. The secure network can include other networkservices, such as e-mail 3316, a plurality of chatrooms (of which onlyone chatroom 3317 is shown), and a standard domain name service (STDDNS) 3318. Of course, secure network 3311 can include other resourcesand services that are not shown in FIG. 33.

[0333] When software module 3309 replaces the standard top-level domainname for server 3304 with the secure top-level domain name, softwaremodule 3309 sends a query to SDNS 3313 at step 3408 through secureportal 3310 preferably using an administrative VPN communication link3319. In this configuration, secure portal 3310 can only be accessedusing a VPN communication link. Preferably, such a VPN communicationlink can be based on a technique of inserting a source and destinationIP address pair into each data packet that is selected according to apseudo-random sequence; an IP address hopping regime that pseudorandomlychanges IP addresses in packets transmitted between a client computerand a secure target computer; periodically changing at least one fieldin a series of data packets according to a known sequence; an InternetProtocol (IP) address in a header of each data packet that is comparedto a table of valid IP addresses maintained in a table in the secondcomputer; and/or a comparison of the IP address in the header of eachdata packet to a moving window of valid IP addresses, and rejecting datapackets having IP addresses that do not fall within the moving window.Other types of VPNs can alternatively be used. Secure portal 3310authenticates the query from software module 3309 based on theparticular information hopping technique used for VPN communication link3319.

[0334] SDNS 3313 contains a cross-reference database of secure domainnames and corresponding secure network addresses. That is, for eachsecure domain name, SDNS 3313 stores a computer network addresscorresponding to the secure domain name. An entity can register a securedomain name in SDNS 3313 so that a user who desires a securecommunication link to the website of the entity can automatically obtainthe secure computer network address for the secure website. Moreover, anentity can register several secure domain names, with each respectivesecure domain name representing a different priority level of access ina hierarchy of access levels to a secure website. For example, asecurities trading website can provide users secure access so that adenial of service attack on the website will be ineffectual with respectto users subscribing to the secure website service. Different levels ofsubscription can be arranged based on, for example, an escalating fee,so that a user can select a desired level of guarantee for connecting tothe secure securities trading website. When a user queries SDNS 3313 forthe secure computer network address for the securities trading website,SDNS 3313 determines the particular secure computer network addressbased on the user's identity and the user's subscription level.

[0335] At step 3409, SDNS 3313 accesses VPN gatekeeper 3314 forestablishing a VPN communication link between software module 3309 andsecure server 3320. Server 3320 can only be accessed through a VPNcommunication link. VPN gatekeeper 3314 provisions computer 3301 andsecure web server computer 3320, or a secure edge router for servercomputer 3320, thereby creating the VPN. Secure server computer 3320 canbe a separate server computer from server computer 3304, or can be thesame server computer having both non-VPN and VPN communication linkcapability, such as shown by server computer 3322. Returning to FIG. 34,in step 3410, SDNS 3313 returns a secure URL to software module 3309 forthe scom server address for a secure server 3320 corresponding to server3304.

[0336] Alternatively, SDNS 3313 can be accessed through secure portal3310 “in the clear”, that is, without using an administrative VPNcommunication link. In this situation, secure portal 3310 preferablyauthenticates the query using any well-known technique, such as acryptographic technique; before allowing the query to proceed to SDNS3319. Because the initial communication link in this situation is not aVPN communication link, the reply to the query can be “in the clear.”The querying computer can use the clear reply for establishing a VPNlink to the desired domain name. Alternatively, the query to SDNS 3313can be in the clear, and SDNS 3313 and gatekeeper 3314 can operate toestablish a VPN communication link to the querying computer for sendingthe reply.

[0337] At step 3411, software module 3309 accesses secure server 3320through VPN communication link 3321 based on the VPN resources allocatedby VPN gatekeeper 3314. At step 3412, web browser 3306 displays a secureicon indicating that the current communication link to server 3320 is asecure VPN communication link. Further communication between computers3301 and 3320 occurs via the VPN, e.g., using a “hopping” regime asdiscussed above. When VPN link 3321 is terminated at step 3413, flowcontinues to step 3414 where software module 3309 automatically replacesthe secure top-level domain name with the corresponding non-securetop-level domain name for server 3304. Browser 3306 accesses a standardDNS 3325 for obtaining the non-secure URL for server 3304. Browser 3306then connects to server 3304 in a well-known manner. At step 3415,browser 3306 displays the “go secure” hyperlink or icon for selecting aVPN communication link between terminal 3301 and server 3304. By againdisplaying the “go secure” hyperlink, a user is informed that thecurrent communication link is a non-secure, non-VPN communication link.

[0338] When software module 3309 is being installed or when the user isoff-line, the user can optionally specify that all communication linksestablished over computer network 3302 are secure communication links.Thus, anytime that a communication link is established, the link is aVPN link. Consequently, software module 3309 transparently accesses SDNS3313 for obtaining the URL for a selected secure website. In otherwords, in one embodiment, the user need not “click” on the secure optioneach time secure communication is to be effected.

[0339] Additionally, a user at computer 3301 can optionally select asecure communication link through proxy computer 3315. Accordingly,computer 3301 can establish a VPN communication link 3323 with secureserver computer 3320 through proxy computer 3315. Alternatively,computer 3301 can establish a non-VPN communication link 3324 to anon-secure website, such as non-secure server computer 3304.

[0340]FIG. 35 shows a flow diagram 3500 for registering a secure domainname according to the present invention. At step 3501, a requesteraccesses website 3308 and logs into a secure domain name registryservice that is available through website 3308. At step 3502, therequestor completes an online registration form for registering a securedomain name having a top-level domain name, such as .com, .net, org,.edu, mil or .gov. Of course, other secure top-level domain names canalso be used. Preferably, the requestor must have previously registereda non-secure domain name corresponding to the equivalent secure domainname that is being requested. For example, a requester attempting toregister secure domain name “website.scom” must have previouslyregistered the corresponding non-secure domain name “website.com”.

[0341] At step 3503, the secure domain name registry service at website3308 queries a non-secure domain name server database, such as standardDNS 3322, using, for example, a whois query, for determining ownershipinformation relating to the non-secure domain name corresponding to therequested secure domain name. At step 3504, the secure domain nameregistry service at website 3308 receives a reply from standard DNS 3322and at step 3505 determines whether there is conflicting ownershipinformation for the corresponding non-secure domain name. If there is noconflicting ownership information, flow continues to step 3507,otherwise flow continues to step 3506 where the requestor is informed ofthe conflicting ownership information. Flow returns to step 3502.

[0342] When there is no conflicting ownership information at step 3505,the secure domain name registry service (website 3308) informs therequestor that there is no conflicting ownership information and promptsthe requestor to verify the information entered into the online form andselect an approved form of payment. After confirmation of the enteredinformation and appropriate payment information, flow continues to step3508 where the newly registered secure domain name sent to SDNS 3313over communication link 3326.

[0343] If, at step 3505, the requested secure domain name does not havea corresponding equivalent non-secure domain name, the present inventioninforms the requestor of the situation and prompts the requestor foracquiring the corresponding equivalent non-secure domain name for anincreased fee. By accepting the offer, the present inventionautomatically registers the corresponding equivalent non-secure domainname with standard DNS 3325 in a well-known manner. Flow then continuesto step 3508.

G. Tunneling Secure Address Hopping Protocol Through Existing ProtocolUsing Web Proxy

[0344] The present invention also provides a technique for implementingthe field hopping schemes described above in an application program onthe client side of a firewall between two computer networks, and in thenetwork stack on the server side of the firewall. The present inventionuses a new secure connectionless protocol that provides good denial ofservice rejection capabilities by layering the new protocol on top of anexisting IP protocol, such as the ICMP, UDP or TCP protocols. Thus, thisaspect of the present invention does not require changes in the Internetinfrastructure.

[0345] According to the invention, communications are protected by aclient-side proxy application program that accepts unencrypted,unprotected communication packets from a local browser application. Theclient-side proxy application program tunnels the unencrypted,unprotected communication packets through a new protocol, therebyprotecting the communications from a denial of service at the serverside. Of course, the unencrypted, unprotected communication packets canbe encrypted prior to tunneling.

[0346] The client-side proxy application program is not an operatingsystem extension and does not involve any modifications to the operatingsystem network stack and drivers. Consequently, the client is easier toinstall, remove and support in comparison to a VPN. Moreover, theclient-side proxy application can be allowed through a corporatefirewall using a much smaller “hole” in the firewall and is less of asecurity risk in comparison to allowing a protocol layer VPN through acorporate firewall.

[0347] The server-side implementation of the present inventionauthenticates valid field-hopped packets as valid or invalid very earlyin the server packet processing, similar to a standard virtual privatenetwork, for greatly minimizing the impact of a denial of serviceattempt in comparison to normal TCP/IP and HTTP communications, therebyprotecting the server from invalid communications.

[0348]FIG. 36 shows a system block diagram of a computer network 3600 inwhich a virtual private connection according to the present inventioncan be configured to more easily traverse a firewall between twocomputer networks. FIG. 37 shows a flow diagram 3700 for establishing avirtual private connection that is encapsulated using an existingnetwork protocol.

[0349] In FIG. 36 a local area network (LAN) 3601 is connected toanother computer network 3602, such as the Internet, through a firewallarrangement 3603. Firewall arrangement operates in a well-known mannerto interface LAN 3601 to computer network 3602 and to protect LAN 3601from attacks initiated outside of LAN 3601.

[0350] A client computer 3604 is connected to LAN 3601 in a well-knownmanner. Client computer 3604 includes an operating system 3605 and a webbrowser 3606. Operating system 3605 provides kernel mode functions foroperating client computer 3604. Browser 3606 is an application programfor accessing computer network resources connected to LAN 3601 andcomputer network 3602 in a well-known manner. According to the presentinvention, a proxy application 3607 is also stored on client computer3604 and operates at an application layer in conjunction with browser3606. Proxy application 3607 operates at the application layer withinclient computer 3604 and when enabled, modifies unprotected, unencryptedmessage packets generated by browser 3606 by inserting data into themessage packets that are used for forming a virtual private connectionbetween client computer 3604 and a server computer connected to LAN 3601or computer network 3602. According to the invention, a virtual privateconnection does not provide the same level of security to the clientcomputer as a virtual private network. A virtual private connection canbe conveniently authenticated so that, for example, a denial of serviceattack can be rapidly rejected, thereby providing different levels ofservice that can be subscribed to by a user.

[0351] Proxy application 3607 is conveniently installed and uninstalledby a user because proxy application 3607 operates at the applicationlayer within client computer 3604. On installation, proxy application3607 preferably configures browser 3606 to use proxy application for allweb communications. That is, the payload portion of all message packetsis modified with the data for forming a virtual private connectionbetween client computer 3604 and a server computer. Preferably, the datafor forming the virtual private connection contains field-hopping data,such as described above in connection with VPNs. Also, the modifiedmessage packets preferably conform to the UDP protocol. Alternatively,the modified message packets can conform to the TCP/IP protocol or theICMP protocol. Alternatively, proxy application 3606 can be selected andenabled through, for example, an option provided by browser 3606.Additionally, proxy application 3607 can be enabled so that only thepayload portion of specially designated message packets is modified withthe data for forming a virtual private connection between clientcomputer 3604 and a designated host computer. Specially designatedmessage packets can be, for example, selected predetermined domainnames.

[0352] Referring to FIG. 37, at step 3701, unprotected and unencryptedmessage packets are generated by browser 3606. At step 3702, proxyapplication 3607 modifies the payload portion of all message packets bytunneling the data for forming a virtual private connection betweenclient computer 3604 and a destination server computer into the payloadportion. At step, 3703, the modified message packets are sent fromclient computer 3604 to, for example, website (server computer) 3608over computer network 3602.

[0353] Website 3608 includes a VPN guard portion 3609, a server proxyportion 3610 and a web server portion 3611. VPN guard portion 3609 isembedded within the kernel layer of the operating system of website 3608so that large bandwidth attacks on website 3608 are rapidly rejected.When client computer 3604 initiates an authenticated connection towebsite 3608, VPN guard portion 3609 is keyed with the hopping sequencecontained in the message packets from client computer 3604, therebyperforming a strong authentication of the client packet streams enteringwebsite 3608 at step 3704. VPN guard portion 3609 can be configured forproviding different levels of authentication and, hence, quality ofservice, depending upon a subscribed level of service. That is, VPNguard portion 3609 can be configured to let all message packets throughuntil a denial of service attack is detected, in which case VPN guardportion 3609 would allow only client packet streams conforming to akeyed hopping sequence, such as that of the present invention.

[0354] Server proxy portion 3610 also operates at the kernel layerwithin website 3608 and catches incoming message packets from clientcomputer 3604 at the VPN level. At step 3705, server proxy portion 3610authenticates the message packets at the kernel level within hostcomputer 3604 using the destination IP address, UDP ports anddiscriminator fields. The authenticated message packets are thenforwarded to the authenticated message packets to web server portion3611 as normal TCP web transactions.

[0355] At step 3705, web server portion 3611 responds to message packetsreceived from client computer 3604 in accordance with the particularnature of the message packets by generating reply message packets. Forexample, when a client computer requests a webpage, web server portion3611 generates message packets corresponding to the requested webpage.At step 3706, the reply message packets pass through server proxyportion 3610, which inserts data into the payload portion of the messagepackets that are used for forming the virtual private connection betweenhost computer 3608 and client computer 3604 over computer network 3602.Preferably, the data for forming the virtual private connection iscontains field-hopping data, such as described above in connection withVPNs. Server proxy portion 3610 operates at the kernel layer within hostcomputer 3608 to insert the virtual private connection data into thepayload portion of the reply message packets. Preferably, the modifiedmessage packets sent by host computer 3608 to client computer 3604conform to the UDP protocol. Alternatively, the modified message packetscan conform to the TCP/IP protocol or the ICMP protocol.

[0356] At step 3707, the modified packets are sent from host computer3608 over computer network 3602 and pass through firewall 3603. Oncethrough firewall 3603, the modified packets are directed to clientcomputer 3604 over LAN 3601 and are received at step 3708 by proxyapplication 3607 at the application layer within client computer 3604.Proxy application 3607 operates to rapidly evaluate the modified messagepackets for determining whether the received packets should be acceptedor dropped. If the virtual private connection data inserted into thereceived information packets conforms to expected virtual privateconnection data, then the received packets are accepted. Otherwise, thereceived packets are dropped.

[0357] While the present invention has been described in connection withthe illustrated embodiments, it will be appreciated and understood thatmodifications may be made without departing from the true spirit andscope of the invention.

What is claimed is:
 1. A method for establishing a secure communicationlink between a first computer and a second computer over a computernetwork, the method comprising steps of: enabling a secure communicationmode of communication at the first computer without a user entering anycryptographic information for establishing the secure communication modeof communication; and establishing the secure communication link betweenthe first computer and a second computer over a computer network basedon the enabled secure communication mode of communication, the securecommunication link being a virtual private network communication linkover the computer network.
 2. The method according to claim 1, furthercomprising steps of: determining whether a secure communication softwaremodule is stored on the first computer in response to the step ofenabling the secure communication mode of communication; accessing apredetermined computer network address for loading the securecommunication software module when the software module is not stored onthe first computer; and storing the software module in the firstcomputer.
 3. The method according to claim 1, wherein the virtualprivate network is based on inserting into each data packet one or moredata values that vary according to a pseudo-random sequence.
 4. Themethod according to claim 1, wherein the virtual private network isbased on inserting into at least one data packet at least one data valuerepresenting a predetermined level of service associated with thevirtual private network.
 5. The method according to claim 1, wherein thevirtual private network is based on a computer network address hoppingregime that is used to pseudorandomly change computer network addressesin packets transmitted between the first computer and the secondcomputer.
 6. The method according to claim 1, wherein the virtualprivate network is based on comparing a value in each data packettransmitted between the first computer and the second computer to amoving window of valid values.
 7. The method according to claim 1,wherein the virtual private network is based on a comparison of adiscriminator field in a header of each data packet to a table of validdiscriminator fields maintained for the first computer.
 8. The methodaccording to claim 1, wherein the computer network includes theInternet.
 9. The method according to claim 1, wherein the step ofenabling the secure communication mode of communication includes a stepof entering a command into the first computer that specifies the securecommunication mode.
 10. The method according to claim 9, wherein thecommand is entered to define a setup parameter associated with thesecure communication mode of communication, and wherein the securecommunication link is automatically established when a communicationlink is established over the computer network.
 11. The method accordingto claim 1, wherein the step of enabling a secure communication linkmode of operation includes a step of selecting an icon displayed on adisplay device of the first computer.
 12. The method according to claim1, further comprising a step of displaying an indication on a display ofthe first computer that the secure communication link is established.13. The method according to claim 12, wherein the indication is an icon.14. The method according to claim 1, wherein the secure communicationlink is one of a plurality of secure communication links in a hierarchyof secure communication links.
 15. The method according to claim 1,wherein the secure communication link is through a secure portalconnected to the computer network, and wherein the second computercomprises a secure domain name service.
 16. A computer-readable storagemedium, comprising: a storage area; and computer-readable instructionsfor a method for establishing a secure communication link between afirst computer and a second computer over a computer network, the methodcomprising steps of: enabling a secure communication mode ofcommunication at a first computer without a user entering anycryptographic information for establishing the secure communication modeof communication; and establishing a secure communication link betweenthe first computer and a second computer over a computer network basedon the enabled secure communication mode of communication, the securecommunication link being a virtual private network communication linkover the computer network.
 17. The computer-readable storage mediumaccording to claim 16, further comprising steps of: determining whethera secure communication software module is stored on the first computerin response to the step of enabling the secure communication mode ofcommunication; accessing a predetermined computer network address forloading the secure communication software module when the softwaremodule is not stored on the first computer; and storing the softwaremodule in the first computer.
 18. The computer-readable medium accordingto claim 16, wherein the virtual private network is based on insertinginto at least one data packet at least one data value representing apredetermined level of service associated with the virtual privatenetwork.
 19. The computer-readable storage medium according to claim 16,wherein the virtual private network is based on inserting into each datapacket one or more data values that vary according to a pseudo-randomsequence.
 20. The computer-readable storage medium according to claim16, wherein the virtual private network is based on a computer networkaddress hopping regime that is used to pseudorandomly change computernetwork addresses in packets transmitted between the first computer andthe second computer.
 21. The computer-readable storage medium accordingto claim 16, wherein the virtual private network is based on comparing avalue in each data packet transmitted between the first computer and thesecond computer to a moving window of valid values.
 22. Thecomputer-readable storage medium according to claim 16, wherein thevirtual private network is based on a comparison of a discriminatorfield in a header of each data packet to a table of valid discriminatorfields maintained for the first computer.
 23. The computer-readablestorage medium according to claim 16, wherein the computer networkincludes the Internet.
 24. The computer-readable storage mediumaccording to claim 16, wherein the step of enabling the securecommunication mode of communication includes a step of entering acommand into the first computer that specifies the secure communicationmode.
 25. The computer-readable storage medium according to claim 24,wherein the command is entered to define a setup parameter associatedwith the secure communication mode of communication, and wherein thesecure communication link is automatically established when acommunication link is established over the computer network.
 26. Thecomputer-readable storage medium according to claim 16, wherein the stepof enabling a secure communication link mode of operation includes astep of selecting an icon displayed on a display device of the firstcomputer.
 27. The computer-readable storage medium according to claim16, further comprising a step of displaying an indication on a displayof the first computer that the secure communication link is established.28. The computer-readable storage medium according to claim 27, whereinthe indication is an icon.
 29. The computer-readable storage mediumaccording to claim 16, wherein the secure communication link is one of aplurality of secure communication links in a hierarchy of securecommunication links.
 30. The computer-readable storage medium accordingto claim 16, wherein the secure communication link is through a secureportal connected to the computer network, and wherein the secondcomputer comprises a secure domain name service.